Distributive access controller

ABSTRACT

A device for securely controlling communications among or within computers, computer systems, or computer networks, comprising: (a) a primary access port to which an “owner” computer program, computer, computer system, or computer network is connectable to access shared computer resources; (b) a secondary access port to which a non-owner computer program, computer, computer system, or computer network is connectable to access the shared computer resources; (c) a transfer port to which a shared computer resource is connectable to provide controlled access to that computer resource from computer programs, computers, computer systems, or computer networks connected to the access ports; and (d) a separate physical communication path to and from each access port and each transfer port, where access permissions and restrictions for each communication path are set by the owner of the device through the primary access port.

TECHNICAL FIELD

This invention relates to devices for controlling access to resourcesshared by multiple computer systems, or multiple programs within acomputer system, so as to allow secure sharing of common resources amongthose systems or programs. This invention also relates to the use ofthose access control devices as controlled portals through whichdifferent computer systems or programs communicate and share informationsecurely.

BACKGROUND

Traditionally, in a system of computers, storage units have been createdsuch that each storage unit interfaces with a single controlling systemthat has full control over that storage unit. Prior to networkingoperating systems, protection of shared information was possible only bythe presence of built-in password protection capabilities withinindividual application software. Passwords have since been shown to beonly marginally effective and, even then, marginally effective againstonly casually, curious individuals; passwords have been shown to betotally ineffective by themselves against theft, damage or loss ofinformation on such systems.

U.S. Pat. No. 5,434,562 to Reardon suggested a method of protectingstorage unit(s) on such systems by use of access control switches toapply limited access privileges, and by which multiple users can sharethe storage unit(s), one user at a time. However, the invention Reardonproposed applies only to singular systems having multiple,non-concurrent users.

U.S. Pat. No. 6,052,781 to Weber further proposed a method by which anindividual computer system, also with non-concurrent users, can protectindividualized storage. The invention Weber proposed “virtualized” thesystem to represent individually any number of personalizedconfigurations available to users, identifiable by password. However, asmentioned above, the use of passwords has provided little realprotection to date.

Today, networking is the primary means by which computer systems shareinformation storage. Unfortunately, network methodology was neverdesigned with security in mind. This is the primary reason for the poorperformance of network security systems in attempts to preventunauthorized access by knowledgeable “hackers”. The advent of networkingoperating systems allowed data sharing with other systems connected tothe network, using software methods to facilitate and control the typeof access allowed to the storage units. However, software-sharingmethods must necessarily be implemented using a “client-server”architecture. This client-server model necessitates a means for clientsto directly access the server (via requests), which the server thenservices by performing actions in its environment on the clients'behalf. These requests can be tailored to generate instability in theserver's environment, which the client may later exploit. This is theprimary means by which most forms of network-based intrusions areperpetrated. Network-based intrusions are insidious because would-beperpetrators can perform acts as if locally present, but remainprotected by the anonymity they can achieve and the physical distanceover which they can act.

Thus, a new means of controlled access to shared resources needs to bedesigned to solve this fundamental flaw of networking. The new methodshould not only restrict access, but it should provide “transparent”access to the information to which the client is allowed—that is, withinthe boundaries of the overall restricted access, access to the permittedinformation should be direct and unrestricted and not require a serveras an intermediary. Transparent access implies that clients need not,and cannot, know that the server or other clients exists and, as such,clients must not be able to issue direct requests to servers.Transparency eliminates the possibility of remote access control of theserver and the need to make the server's critical systems accessible tothe client. The new method should be able to apply incontrovertiblelocation identity to all involved and make local presence at theappropriate location a prerequisite for any attempt at subversion withina given private network.

It is obvious that the individual systems described by Reardon and Webercould be outfitted with networking operating systems to operate on anetwork. However, the resulting network could not negate remote accesscontrol, anonymity, or identity obfuscation, and the resulting access tothe “protected” storage would be neither transparent nor restrictive toselected users. This is because the very nature of computers and the“cyber world”, as it exists today, resists the requirements forsecurity. The networking software itself defeats the physical protectionthat the above inventions once attempted to impart to the storagemedium. Now, the different users need only access to the network inorder to gain the access to that which they were once denied by thosepatented physical mechanisms, without needing to contend with theprotective mechanisms that they provide. Therefore, those systems wouldstill be subject to exploitation and to the flaws in programs andoperating systems.

European Patent No. EP0827065A2 proposed a non-networked means ofsharing storage between two architecturally different computer systemsvia a special storage device controller. No method of restricting accesswas discussed or provided. The purpose ascribed to thatinvention—namely, allowing computer systems having different dataformats to share storage and allowing the mainframe to backup the sharedstorage—is unrelated to security. The function of the storage devicecontroller in that invention is merely to convert data addresses fromdifferent computer systems so as to permit access to the shared storageand to permit the mainframe to backup that storage.

European Patent No. EP0367702A2 presented an invention to facilitateaccess to shared storage by multiple processors in a multiprocessorenvironment. The method discussed would strictly prohibit transparentsharing and access control since the “owner” processor must processrequests posted to it by “requestor” processors. In fact, the methoddescribed is almost totally encapsulated by networked systems; thus, theobjections to networking made above in respect of security andtransparency would apply to this patented invention as well.

Finally, U.S. Pat. No. 5,935,205 to Murayama et al. presented aninvention involving a network-like arrangement of computers sharingstorage units via a specialized storage controller and computer couplingadapters. Access control to any shared storage unit is in the form ofidentification and password authentication and is mediated by theresident storage controller on the system to which the storage unit wasdirectly attached. However, the desired features of transparent accessand inaccessible access control to guarantee security have not beenprovided. In addition, the authentication method used to control accesscan easily be defeated, and individual elements of the system could bereconfigured to pose as any other element to gain illegal access.

Recently, development of the fiberchannel switch network and its usewithin storage area networks (SAN) has been touted as the ideal securedata network. While the fiberchannel storage bus does allow multipledevices to share the same storage systems, it does not however providethe necessary transparent access rights control. This means that anysystem that can gain access to the bus can act as an imposter and, byswitching identities, can discover all other elements that populate thebus. In addition, the SAN must be used in conjunction with a standardnetwork. Since the security of such networks is the current concern, itprovides the means by which a remote attacker can bypass any safetymeasures in the SAN by attacking the system that has valid access to thedata in question. Furthermore, most SAN implementations utilize theclient-server model of data access and sharing, providing yet anothermeans for attackers to exploit software-related risks on the servers andclients.

Thus, there still exists a need for a non-standard networked means ofsharing storage units or other resources that is secure and presents nodanger to any attached host system. Standard network access controlmethods have been shown to be ineffective in many cases, and allowingany type of access over such networks promotes vulnerabilities toattacks from remote systems. The industry has responded inappropriatelyto the shortcomings of software methods of access control, creating moreand more layers of elaborate software controls, none of which have yetfulfilled the task of securing shared information from unauthorizedaccess. The solutions themselves add to the list of vulnerabilities in asystem.

On a related issue, the nature of standard networks and theclient-server model give rise to similar problems in respect of thesecured sharing of information between systems. The advent of networkingsystems helped to remove the burden of communicating or transmittinginformation, but networks were originally devised to share informationbetween privileged, trusted individuals and thus required few safeguardsto protect the information or its storage and manipulation systems. Thisshortfall has been made painfully obvious since the birth of theInternet, which now allows any information system to be instantlyaccessible. by any other system from any location in the world.Mischievous and malicious individuals alike can now cause serious damageto systems operation as well as loss or thievery of information.

Often, the type of access violation stems from the manner in whichcomputers and programs network or share information. The attacker has aninterface to a program or computer that sends input to another programto request (a query) that it makes some information available forsharing (typical of the classic client-server model). The query orsequence of queries maligns the server's processing of queries, orprocessing of information related to processing the queries. Now theattacker can make certain subsequent queries which force (trick) theserver to send information that it should and would not normally send tothe client, or modify information or processing of information for theserver or other clients. This is obviously a problem of lack oftransparency in data sharing. The fulfillment of requests and thesubsequent release of, or access to such information is the subject ofdaily hacking news reports.

Still, security solutions overlook this basic flaw and instead targetthe symptoms. Security methods such as encryption, public-keyinfrastructure, digital certifications, authentication, and firewallshave been devised with the intent of limiting unauthorized activities orrender stolen information practically useless to thieves. These methodshave thus far proven to be only partly effective, requiring relentlessupdating and revisions just to keep up with the resourcefulness ofintruders. It is becoming obvious that software solutions will neverprovide a cure because software itself can be manipulated and exploitedremotely with no risk to the interloper. Other hardware/softwarecombinations have also had limited success because, even whenfunctioning as designed, they provide loopholes which allow impostersaccess to any information or activity normally expected of theindividual being impersonated. Most importantly, security solutions thattarget information storage and sharing themselves operate on the flawedclient-server architecture, making them susceptible to its inherentrisks.

SUMMARY OF INVENTION

This invention defines a broad class of physical devices collectivelycalled “distributive access controllers” (each one, a “DAC”), which canbe applied as conjunctive devices or as an integrated part of any kindof information storage unit or computer system or other resourcerequiring protection. Applied as such, these DACs allow secure sharingof common storage/resource(s) by transforming logically partitionedsystems into physically partitioned systems with more secure electronicconnectivity, and by removing the control of access permissions beyondthe reach of attached systems. These DACs provide multiple access portsto the shared resource(s) while governing the type of access allowed ateach access port. Typically, each DAC provides a primary “access port”to which a capable owner connects to gain full control of the sharedresource(s), and at least one other secondary access port to which anyother user or system connects to gain restricted access to the sharedresource(s). Those shared resource(s) in turn are connected to one ormore “transfer ports” provided by the DAC, and access between any givenaccess port and transfer port is governed by the DAC's hardware and maybe changed only via the DAC's installed switches. These DACs enhanceaccess control from attached systems by utilizing their physical pointof attachment, namely each of the access ports, as an unmodifiableidentity (ID) element. This mode of action generates a more trustworthyenvironment by removing the possibility that an attached system couldact as an impostor and gain access to attached resources to which it hasnot been given rights. The owner of the attached storage units and theDAC can be certain that no attached system (whether local or remote) canoverride the DAC's access permissions.

Systems can share information and information storage in a non-standardnetworked manner, with broad access restrictions provided by the DAC.The DAC can be applied to any storage unit(s) or other resource(s) andoperates at the level of a communication bus. It provides multipleaccess paths to the storage unit(s) or resource(s), monitors informationaccess requests, and allows only the pre-determined access path andaccess permission to be applied to a given access port. The sharers maynow share the same resources (and thus the same information) withdifferent access permissions without the need to request the informationfrom a server. It affords the “clients” with the assurance thatinformation it receives does not come from another unintended “client”,and it assures the “server” that “clients” cannot override theirspecified access permissions.

Since this level of access control supersedes the “server's” control andis not subject to “client” access or control, the DAC can providedfailsafe security. DACs can be interconnected to support sharing oflarger storage clusters by higher numbers of concurrent attachments byconnecting any DAC access port to a transfer port of another DAC, or byconnecting any access port attachment to two similar or dissimilar DACdevices.

Secure storage using the DAC allows each access port attachment to haveprivate storage that cannot be illegally accessed by other attachmentson the DAC, and for such systems to place or retrieve shared informationfrom specifically designated storage units. In terms of networking, thismeans that a “server” can control what information is shared with which“client” without the possibility of the “client” requesting and possiblegaining access to restricted information through a malformed request. Asfar as the “client” is concerned, all the information that it can everobtain from the “server” is already in its “own” system. The “server's”administrator alone determines what to share with the “client” and whento make it accessible. If the “server” places the information in ashared storage unit that the client can only read, then the clientcannot even modify its “own” information stores. When one considers thatthe target of many intrusions is to gain access to restrictedinformation, or to modify or damage controlled information (such as aweb page), it becomes obvious that DACs can be used to prevent theseevents.

This target-oriented validation enables the target to properly completeits source identity validation, while ensuring that a compromised sourcecannot exceed its bounds and gain illegal access to systems on thenetwork.

DACs can also be used as controlled portals for the secure communicationand sharing of information between systems. Because access to suchdevices are not controlled by the systems which use them, and access ismade transparently with respect to other attached systems, they areimpervious to software methods of subversion. Their judicious usagewould naturally confer proof against intrusion from external systems ifused as a communication channel. This communication channel is composedof DACS, several implied a-priori rules that replace the client-servermodel of networking, and functional “agents”. The key enabling componentis the use of the DAC along with digital storage units to provide aphysical checkpoint barrier at which all information can be subjected toscrutiny. Because the DAC allows multiple systems to transparently sharestorage units, and applies categorical restrictions to accessing thestorage unit, even certain types of impersonation attempts (a means ofinvasion) can be detected and actively inhibited. The DAC-basedcommunications channels allows restructuring of the client/server modelinto a private anonymous-server network model. This model is based onthe principle that “client” systems are essentially incomplete systemsthat cannot independently access or process the necessary information,and thus need the support of the network to be complete. In addition,“server” systems are really just a collection of functions that clientscan use to give them the semblance of being complete.

BRIEF DESCRIPTON OF DRAWINGS

FIG. 1 is a general schematic illustration of a DAC depicting itsprimary functional component blocks.

FIG. 2 is a general schematic illustration of a network-like systemutilizing a DAC.

FIG. 3 is a detailed schematic illustration of the chief components of aDAC adapted for SCSI systems.

FIG. 4 is a schematic illustration depicting the functional layout ofthe “Interlock and Datalink Coordinator” processing component of theSCSI oriented DAC.

FIG. 5 is a conceptual diagram of an access port permission tablecomposed by an “Access Control Interface” unit to implement accesscontrol requirements specified by the owner of a SCSI oriented DAC.

FIG. 6 is a detailed schematic illustration of an access controller unitfor an access port in a SCSI oriented DAC.

FIG. 7 is a more detailed schematic illustration of the “Reset andInitialization” subcomponent present on the access controller unit forthe primary access port in a SCSI oriented DAC.

FIG. 8 is a detailed schematic illustration of an access controller unitfor a transfer port in a SCSI oriented DAC.

FIG. 9 is a flowchart outlining the initialization process whichprepares a SCSI oriented DAC for normal operation.

FIG. 10 is a diagram of the logical structure of an access table used bya SCSI oriented DAC.

FIG. 11 is a flowchart illustrating the operation of the Alert module ofan access controller unit for a SCSI oriented DAC.

FIG. 12 is a flowchart depicting the actions of the “Interlock andDatalink Coordinator” processing component to a Request/Process signalasserted by the Alert module to locate and address accessibility to arequested target system.

FIG. 13 is a diagram of the Transitory Stack of a SCSI oriented DAC.

FIG. 14 is a flowchart depicting how a SCSI oriented DAC uses internalrouting controls to enforce port usage and access transparency.

FIG. 15 is a flowchart depicting the formal operation process of a SCSIoriented DAC for a particular access port to transfer port communicationsession.

FIG. 16 is a flowchart illustrating how the “Interlock and DatalinkCoordinator” processing component filters restricted commands andmessages when requested by an access controller unit of a SCSI orientedDAC.

FIG. 17 is a flowchart depicting the operations required to release anyunique source identifier used by a SCSI oriented DAC for later reuse.

FIG. 18 is a state diagram showing the operation states through the filloperation of a SCSI oriented DAC.

FIG. 19 is a general schematic illustration showing the logicalre-arrangement of RAM memory effected by use of a RAM oriented DAC.

FIG. 20 is a state diagram showing the operational states through theoverall operations of the hardware component of a RAM oriented DAC.

FIG. 21 is a detailed schematic illustration of the components of a RAMoriented DAC.

FIG. 22 is a diagram showing the logical arrangement of the internalcache memory of a RAM oriented DAC.

FIG. 23(A)is a diagram showing the implementation of a “AP RequestTranslator” lookup table defining the AP-attachments assigned to thecurrent access port and their associated data set selectors.

FIG. 23(B) is a diagram showing the implementation of a “TP RequestTranslator” lookup table containing the data ranges of a transfer portassigned to the current AP-attachment, their associated accesspermissions, and the shadow offset if defined.

FIG. 24 is a flowchart illustrating all processes/functions of thehardware of a RAM oriented DAC and their contribution to the validationand processing of all memory accesses.

FIG. 25 is a state diagram which shows the recommended operational stateof the OS independent software component of a RAM oriented DAC.

FIG. 26 is a flowchart showing the process used by a RAM oriented DACfor the validation of access to data memory space.

FIG. 27 is a flowchart showing the process used by a RAM oriented DACfor the validation of access to instruction memory space.

FIG. 28 is a flowchart showing the means by which approved memoryaccesses are routed by a RAM oriented DAC.

FIG. 29 is a flowchart showing the means by which a memory access isshadowed to a target that is different from that which was requested.

FIG. 30 is a flowchart showing the processing of access violations by anaccess controller of a RAM oriented DAC.

FIG. 31 is a flowchart showing the manner in which a RAM oriented DACeffects a safe transition between two different programs.

FIG. 32 is a state diagram which illustrates the program-controlled flowof program execution within a RAM oriented DAC.

FIG. 33 is a diagram illustrating the use of DAC-controlled storageunits (“DACS”) to define private bidirectional checkpoints withasynchronous duplexing access capability, where the DACS are based onRAM oriented DACs.

FIG. 34 is a diagram illustrating how to use RAM oriented DACS to definecommunication channels for the secure sharing of a common resource.

FIG. 35(A) is a schematic diagram showing a hybrid network using DACS tomaintain segment integrity and distinction.

FIG. 35(B) is a schematic diagram showing detailed data paths for activesystems on a first DAC of that hybrid network. FIG. 35(C) is a schematicdiagram showing detailed data paths for active systems on a second DACof that hybrid network. FIG. 35(D) is a schematic diagram showingdetailed data paths for active systems on the central DAC of that hybridnetwork.

FIG. 36 is a schematic diagram showing the backbone of a hybrid DACSnetwork showing system data paths of an “Internal Intrusion DetectionSystem” (“IIDS”).

FIG. 37 is a schematic diagram showing the backbone of a hybrid DACSnetwork showing central control possible with a “System Master” unit.

FIG. 38 is a schematic diagram illustrating the manner in which DACs canbe interconnected in a hybrid network and illustrating networkcommunications on that network.

DESCRIPTION

Throughout the following description, specific details are set forth inorder to provide a more thorough understanding of the invention.However, the invention may be practiced without these particulars. Inother instances, well known elements have not been shown or described indetail to avoid unnecessarily obscuring the present invention.Accordingly, the specification and drawings are to be regarded in anillustrative, rather than a restrictive, sense.

Glossary

In the description below and in the drawings, the following terms havethe following meanings (which will be explained in further detail in thedescription below):

-   attachment the device or system attached to an AP or TP port (an    AP-attachment or TP-attachment respectively)-   terminal unit a TP-attachment that is explicitly addressable using a    TID-   DAC Distributive Access Controller-   AP Access Port, a location at which processor systems may attach to    the DAC-   TP Transfer Port, a location at which storage systems or other DACs    may attach to the DAC-   1⁰ as indicated by the context, either: (1) the Primary AP (the AP    at which a system is allowed to issue restricted commands via the    DAC); or (2) the Primary target (a shadowed device which an AP can    explicitly target)-   2⁰ Secondary AP, the AP at which restricted systems may attach to    gain access to TP devices-   APxU Access controller unit for an enumerated AP, x being a variable-   RUy Access controller unit for an enumerated TP, y being a variable-   IDC Interlock and Datalink Coordinator, a centralized processing    component for coordinating path allocation and control through a    SCSI DAC-   ACI Access Control Interface, access control unit from which the    device owner specifies the access control parameters for each AP to    TP link-   Alert a snoop module that detects when an attachment is beginning a    bus access and alerts the DAC so that a path to the intended target    can be established-   RI Reset and Initialization subcomponent, a SCSI DAC subcomponent    responsible for generating a reset condition and for initializing    the state of the DAC-   PCC Port Communication Controller, a SCSI DAC sub-component    responsible for supervising the activities through each established    unidirectional path of an effectively bidirectional bus-   IRC Interface Request Controller, an IDC subunit that records and    prioritizes R/P requests from an APXU or RUy-   R/N Reset/Normal, a SCSI DAC signal that holds DAC components in the    reset state while the RI subunit is active-   rPID reset Port ID, register used to assign a port ID to the RI    module-   SD or SDy Storage Device, an enumerated terminal unit, rep resented    by y, attached to a TP and directly identified within the DAC by its    TID-   SCSI Small Computer System Interface; refers to a standard interface    scheme for attaching devices to a computer-   sUy-APs:bAPx describes a selectable path from RUy to the enumerated    AP bus represented by x-   sAPx-SUs:bSUy describes a selectable path from APxU to the    enumerated TP bus represented by y-   path (xx) establishment of a bi-directional path specified by a path    selector designated as xx, e.g. path(tP)-   spath(xx) establishment of a bidirectional path specified by a    shadow path selector designated as xx, e.g. spath(sP)-   lpath(xx) latches the state of the given bus path by holding the    output buffers (bXXx of the selectable path sYYy-XXs:bXXx),    essentially isolating the AP and the TP from each other; the path is    still considered to be in use; usually asserted to select between    the 1⁰ and the shadow target of a shadow pair-   path( ) destruction of the path previously established by path(xx)-   spath( ) destruction of the path previously established by spath(xx)-   G/D Grant/Deny, a signal issued by IDC to APxU or RUy to indicate    whether the required path or target is available and reserve for    APxU or RUy the path access-   R/P link Request/Command Process, a signal issued by APxU and RUy to    request clearance to establish a path between an AP and TP    attachment, or to qualify the bus signals required to safely process    a SCSI C/M-   A/b a positive asserted signal, e.g. G/d means Grant was asserted-   a/B a negative asserted signal, e.g. g/D means Deny was asserted-   DB Data Bus, collection of electrical paths that connect devices and    through which the devices send each other data-   CB Control Bus, collection of electrical paths that connect devices    and through which the devices classify and control the use of DB-   DS Data Shunt, a shunt pathway used by the RI subunit during a bus    scan; DS returns DB and CB to RI while the AP buses are disabled-   SID Source Identifier, the name or number used to explicitly address    an AP attachment-   APID AP Identifier, the name or number used to explicitly reference    an AP-   TID Target Identifier, the name or number used to explicitly address    an SDy device-   sT shadow Target identifier, the name or number used to explicitly    address the SDy device to be used as the shadow for a TID-   tPID TP identifier, the name or number used to reference a specific    TP-   tP the path selector for creating a bi-directional path between APx    to SDy; contains components necessary to establish the correct    sUy-APs:bAPx and sAPx-SUs:bSUy pair-   sPID shadow Port identifier, the name or number used to reference    the specific TP to which the sT is attached-   sP the path selector for creating a bidirectional path between APx    to SDy, where SDy is a shadow device; contains components necessary    to establish the correct sUy-APs:bAPx and sAPx-SUs:bSUy pair-   BSY Busy, a SCSI specific signal that informs devices on the bus    whether or not the bus is in use-   SEL Selection, a SCSI specific signal that informs the units    currently using the bus to enter the SCSI Selection or Reselection    state-   ATN a SCSI specific signal that informs a target device the bus will    enter the Message state-   CID Command/Data, a SCSI specific signal that clarifies the current    bus phase as C/M or Data-   MSG Message, a SCSI specific signal that clarifies the C/M bus phase    as Message versus Status or Command-   I/O Input/Output, a SCSI specific signal that clarifies the bus    direction as input or output-   CIM Command/Message mode, a SCSI specific DAC mode in which the DAC    rejects, substitutes, or allows Messages, Status and Commands to    enforce the given permissions-   Data as indicated by the context, either: (1) Data mode, a SCSI    specific DAC mode during which the DAC must allow, modify or block    bus controls and information flow to enforce the given permissions;    or (2) Data bus between the DAC and the storage units of a RAM DAC-   Data′ Data bus between the DAC and the processor units of a RAM DAC-   Interlock a SCSI specific DAC signal set by Alert to indicate that    the AP to TP path is locked and the AP and TP device are allowed to    communicate-   Lock a SCSI specific DAC signal pulsed by IDC to force a selected    Alert circuit into the bus busy loop; asserted by Alert to the IDC    to indicate that the external AP or TP bus is busy.-   perm permission, the access control settings used by all DACs-   sigs path control signals, bit record of control signals applied to    the path selectors and control signals in order to enforce the    access permissions-   sh path control signals, bit record of control signals applied to    the path selectors and control signals in order to enforce the    access permissions-   tag transitory stack block tag, used to indicate when a block    element in the TS structure is allocated or free for allocation-   TS Transitory Stack, an array of records used to store the path and    bus states for SCSI data transfers that terminate without being    completed or aborted-   PT Permission Table, table used by the SCSI DAC to record the    accessible targets and access mode for each target from any AP-   AT Access Table, lookup table used to determine the paths selectors    and access permissions for any TP attachment accessible to a given    AP attachment-   Agent as indicated by the context, either: (1) a computer attached    only to the SCSI DAC and to the Internet; agents serves as internet    servers or Internet border caches for the trusted zones; or (2)    paired programs, one working in the distrusted zone and one working    in the trusted zone (both cooperate to ensure security at    checkpoints)-   Distrusted zone a network segment that has network access only to    external networks; only agents are found in distrusted zones-   Supervisor data server in network zone that has no network    connection and only connected to the DAC(s) of that zone-   Client a workstation or server in a network zone that has network    connection to other clients in its zone and may have a connection to    the DAC of that zone-   IIDS or IIDSX Internal Intrusion Detection System, a system with    connections to DACs in one or more network zone(s) that has no    network link to any other system in the zone(s); IIDS serves no data    but can access but not modify any data on storage shared with any    Client, Supervisor, Custodian or System Master-   Custodian a system with connections to DACs in one or more network    zone(s) and has no network link to any other system in the zone(s);    custodians share storage with many other systems and manage the    shared storage units-   System Master a system that connects directly or via a cascaded link    to the 1⁰ port of all DACs in all zones and has no network    connection to any other system-   Sx Storage unit attached to a DAC in a hybrid network, where x is an    arbitrary numeric designation that distinguishes the unit from all    other units on the same DAC-   Sx^(s) Storage unit attached to a DAC in a hybrid network, that    serves as the shadow storage for certain unauthorized access to    Storage Sx⁰, where x is an arbitrary numeric designation that    distinguishes the unit from all other units on the same DAC-   Sx⁰ primary Storage unit of a shadow pair attached to a DAC in a    hybrid network, where x is an arbitrary numeric designation that    distinguishes the unit from all other units on the same DAC-   Address address bus between the DAC and the storage units of a RAM    DAC-   Address′ address bus between the DAC and the processor units of a    RAM DAC-   DAP DAC AP table, cache memory dedicated to being used as AP    definitions in the RAM DAC-   DTP DAC TP table, cache memory dedicated to being used as TP    definitions in the RAM DAC-   APRT AP Request Translator, an n-way range lookup table used to    validate whether an address falls within the instruction ranges of    the currently active AP on a RAM DAC-   TPRT TP Request Translator, an n-way range lookup table used to    validate whether an address falls within the data ranges of the    currently active AP-attachment on a RAM DAC-   AC Access Controller, the central control unit of the RAM DAC-   RAM Random Access Memory-   bDT Data Transfer bus, a common data bus internal to the DAC that    transports data between components of the DAC and between the DAC    and bDB-   bDB Data Bridge bus, which is used to transfer data between the RAM    DAC and either Data or Data′; bDB also facilitates simultaneous data    transfers between Data and Data′ and between any two internal    components of the RAM DAC-   bAT Address Transfer bus, a common address bus internal to the DAC    that transports data between AC and TPRT or APRT, and between AC and    bAB on the RAM DAC-   bAB Address Bridge bus, which allows simultaneous address transfers    from Address′ to Address and between internal components of the DAC;    bAB also facilitates the transfer of addresses from Address′ to AC    and from AC to Address-   Os Operating System, the Supervisory program on a computer that    smooth interfacing between computer devices and programs-   Record.element a generic reference in which item (namely, an    element) in object (namely, Record) is being selected or targeted-   [Array.index] a generic reference in which an element is selected    from an Array or table by indexing-   [Table].item a generic reference indicating that the Table is    searched for a Record containing the matching item-   [xx.yy] a generic reference in which a range (xx to yy) of elements    of an array or table is targeted-   shadow an alternate target to which accesses denied at the 1⁰ target    are implicitly diverted-   page[xx] defines the generic reference as accessing an element know    as a page-   memory (nn)[xx.yy] a generic reference that accesses a range (xx to    yy) of elements in a table that is offset by nn from the start of    memory-   p(xx) a generic reference that performs a table lookup and creates a    path selector that can be later used in a later path(nn) path    establishment-   X∪Y OR, the union or logical OR of X and Y-   X∩Y AND, the intersection or logical AND of X and Y-   X{circle around (x)}Y XOR, the exclusion or logical XOR (exclusive    OR) of X and Y-   USID Unique Source Identifier, a temporary replacement for the    actual SID used when making an access through the DAC; USID is an    index into the TS and can be used to give a unique reference to each    pending request from an AP to a TP attachment-   Respond( ) a generic response to a command or message that has been    blocked because it would lead to an eventual access violations; the    response type is dependent on implementation and may be specific for    the various messages and commands used by the storage system    General Description of DAC

As mentioned above, a “distributive access controller” or “DAC” is aphysical device which can be applied as a conjunctive device or as anintegrated part of any kind of information storage unit in an electronicsystem. Applied as such, DACs allow secure sharing of common storage bytransforming logically partitioned systems into physically partitionedsystems with more secure electronic connectivity, and by removing thecontrol of access permissions beyond the reach of attached systems.These DACs provide multiple access ports by which computer systems canattach to the DAC to access the storage unit(s) while governing the typeof access allowed at each access port. Typically, each DAC provides aprimary access port to which a capable owner connects to gain fullcontrol of the attached storage unit(s). Each DAC also provides at leastone other secondary access port to which any capable system connects togain restricted access to the same storage unit(s) without the aid ofsaid owner. The type of access allowed through these lesser, secondaryaccess ports is set by the DAC's hardware and may be changed only viathe DAC's installed switches. These DACs enhance access control fromattached systems by utilizing their physical point of attachment, namelyeach of the access ports, as an unmodifiable identity (ID) element. Thismode of action generates a more trustworthy environment by removing thepossibility that an attached system could act as an impostor and gainaccess to attached resources to which it has not been given rights. Theowner of the attached storage unit or and the DAC can be certain that noattached system (whether local or remote) can override the DAC's accesspermissions.

Since the primary purpose of networking is to share information,protecting the information source (and often the destination) should bethe primary goal of any security scheme. The DAC can be inserted intothe bus path of any storage unit to act as an adjunct to the storageunit's own controller. In particular, the storage units may utilize IDE,Small Computer System Interface (SCSI), Firewire, Fiberchannel or otherbus types, and include hard disk drives, RAM disk drives or multidriveunits such as fiber-channel or standard RAID units. The DACs accordingto the invention can adapt even banks of random access memory (RAM) ofany kind (e.g. dynamic, CMOS, NOV etc). Described in detail below are: apreferred embodiment of the DAC for access control to SCSI storageunits, and a preferred embodiment of the DAC for access control tomemory. When possible, annotations referring to points of variationswith respect to the two described preferred embodiments for adaptingother storage unit types will be provided.

FIG. 1 is a general schematic illustration of a DAC 10 depicting theprimary functional component blocks of DAC 10. The generalized form ofDAC 10 illustrated in FIG. 1 can be adapted for any of the widely variedmethods and means by which computer systems may access the large varietyof storage medium available to electronic systems. Referring to FIG. 1,DAC 10 comprises multiple access ports APx (where 0≦x≦n and n is aninteger n≧2) at which capable systems may attach to DAC 10 in order toaccess the storage unit(s) controlled by DAC 10. Of these access ports,one access port AP0 is differentiated to act as the primary or “owner ”access port. Associated with each access port APx is a correspondingaccess controller unit APxU specifying the type of access allowed viathe given access port APx; each of the corresponding access controllerunits APx may be pre-set by the owner through an access controllerinterface unit ACI (explained below). DAC 10 further comprises one ormore transfer ports TPy (where 1≦y≦m and m is an integer m≧1) at whichone or more storage unit(s) may attach to DAC 10. DAC 10 furthercomprises an arbitrating communication control unit 20 that facilitatescommunication and the transfer of information between the access portsAPx and the transfer ports TPy.

FIG. 2 is a general schematic illustration of a typical network-likesystem utilizing the DAC 10. Referring to FIG. 2, system attachments 30,32, 34 attach to DAC 10 at access ports AP0, AP1, AP2 respectively andstorage device SD attaches to DAC 10 at transfer port TP1. Each of theattachments 30, 32, 34 shown in FIG. 2 may represent, individually, aprogram, a singular computer, or an entire network (for example, LAN,WAN, or the Internet). Although only one storage device SD and threeattachment 30, 32, 34 are shown in FIG. 2, DAC 10, as mentioned above,can be configured to accept a primary attachment and n additionalsecondary attachments (where n is an integer n≧1) along with m storageunits (where m is an integer m≧1). Referring to FIG. 2, access port AP0is the primary access port and the flow of information through accessport AP0 and the ability of attachment 30 to control storage device SDis unrestricted except for what is needed to maintain transferpartitioning and integrity. On the other hand, access ports AP1 and AP2are secondary access ports where restricted systems may attach to DAC 10to gain access to storage devices attached to DAC 10, but with accessrestrictions imposed by the owner of DAC 10. In the example illustratedin FIG. 2, access port AP1 is designated as “write only” and so the flowof data from attachment 32 is allowed to proceed only from access portAP1 to storage device SD and not vice-versa, and DAC 10 generatesappropriate signals to inform or mislead attachment 32 regarding thestatus of restricted transfer attempts. Access port AP2 is designated as“read only” and so the flow of information is restricted to the controlsnecessary to set up the access and the reading of information fromstorage device SD. DAC 10 partitions the port buses to effecttransparent access and flow of information among access ports AP0, AP2,AP3 and transfer port TP1 for enhanced security. DAC 10 gives priorityto, and allows all requests from, attachment 30 at primary access portAP0. On the other hand, DAC 10 qualifies access requests fromattachments at secondary access ports AP1 and AP2 and intercedes asnecessary to enforce access restrictions assigned to the correspondingaccess control interface unit AP1U, AP2U. Storage device SD receives andresponds only to requests passed on by DAC 10.

SCSI Oriented DAC

The following description applies the general principles discussed aboveto an embodiment of DAC 10 suitable for SCSI storage units.

SCSI DAC Problems to Solve

For DAC 10 to adapt SCSI storage units for use as secured sharedstorage, several problems and opportunities arise that require specialattention:

-   -   1. SCSI systems utilize identity (ID) values to uniquely specify        which attachment is initiating a communication, and which        attachment is being targeted for the communication. This can be        used to allow DAC 10 to determine which systems to connect for        authorized communications. Yet, DAC 10 must ensure that the        initiator's ID is true and that the initiator's true ID is never        known to the target in order to maintain the privacy of the        initiator.    -   2. SCSI buses are shared buses: only one initiator and its        target can communicate using the bus at any instance in time.        DAC 10 must overcome this limitation in order to support        multiple access ports and transfer ports.    -   3. To share the bus, the attachments must continually monitor        the bus for an opportunity to use it. This means that each        attachment is, and must be, aware of all other attachments on        the bus. DAC 10 must prevent this in order to provide        transparent access.    -   4. All targets must monitor the bus to determine when it is        being targeted. This implies that all targets on the bus can be        discovered by the simple act of presenting their ID with the        initial connection request. DAC 10 must prevent this in order to        provide appropriate access control to otherwise private storage.    -   5. The target can be told to disconnect and must depend on the        initiator's ID in order to reconnect and complete whatever        process was initiated. DAC 10 must support this feature while        ensuring that the initiator's ID remains private.

SCSI DAC Characteristics

The first opportunity arises from the observation that as a DAC 10, anSCSI oriented DAC 1OA must be able to adapt several initiators andstorage units on the same device. The SCSI bus' use of targeting IDsmakes it possible for initiating systems to concurrently andtransparently access the attached storage units. Yet, each storage unitcan only ever assume one ID value for every session followingpower-on-reset and all attached systems must target the storage unitswith this same ID. In addition, each attached system may have initiatingdevices whose IDs are unique within that system but may not be uniquewith respect to other systems that are serviced by the DAC 10A. This canpresent problems for routing and opportunities for misuse by impostors(systems attempting to gain access to resources by assuming the ID ofother attached systems).

SCSI DAC Hardware Description

FIG. 3 is a detailed schematic illustration of the chief components of aDAC 10A adapted for SCSI systems. In particular, FIG. 3 illustrates asystem that can successfully share m SCSI storage units among n+1attachments (the owner's own attachment and n additional attachments).SCSI systems normally share a common bus, and use source and destinationIDs to select communicating partners. To allow transparent sharing, noinitiating system (at an access port) must be able to detect thepresence of any other initiating system attached to DAC 10A. Likewise,no initiating system must be able to detect transfer port attachmentswith which they must not be able to communicate. These specificationsare key to ensuring transparent access to shared storage without-therisk of systems being impersonated. To meet these specifications, DAC10A provides a unique bus attachment point for each attachment androuting controls to assure that each attachment is isolated from everyother attachment at all times.

In FIG. 3, different parts of DAC 10A have been grouped into sectionsfor ease of understanding, namely sections A, B, C, D⁰ and D¹. In theexample illustrated in FIG. 3, section A includes a primary access portAP0 and secondary access ports AP1, . . . APn from which attachments canaccess any given storage device SDy, where 1≦y≦m, provided that theparticular attachment has been assigned permission by DAC 10A. Section Bincludes the transfer ports at which the storage devices SDy to beshared are attached; note that multiple storage units may attach to anytransfer port. The communication control unit 20 of the DAC 10A isprovided by sections C and D⁰ and D¹. Section C is germane to theestablishment and maintenance of the bus uniqueness described above, andwill be discussed in greater detail below. Then the buses are keptisolated by sections D⁰ and D¹, which also provide the access path tothe target systems when necessary. Sections D⁰ and D¹ may be integratedbut are depicted as separate entities for ease of comprehension.Sections D⁰ and D¹ provide the path through which the communicationsignals flow to and from participating access ports and transfer ports.The depicted connecting buses are also simplistically represented forease of comprehension. The communication path combinations selected forthis embodiment afford optimal utility, versatility and throughput ofthe other possible circuit implementations that can be considered.

Section C is the main processing section of DAC 10A. Each access portAPx has a corresponding access controller unit APxU (0≦x≦n), and eachtransfer port TPy has a corresponding access controller unit RUy(1≦y≦m). In the example illustrated in FIG. 3, section C includes n+1individual access controller units APxU (0≦x≦n) and m individual accesscontroller units RUy (1≦y≦m). It is possible to operate one accesscontroller unit APxU and one access controller unit RUy with asequencer/selector to multiplex each bus for processing. However, thismodification, even though functionally possible, would inducesignificant access delays and thus decrease performance of DAC 10A. Asshown, up to a minimum of (n+1) or m independent concurrent paths can beestablished for maximum throughput.

Section C includes a centralized processing component IDC whichfunctions as an “Interlock and Datalink Coordinator” for coordinatingpath allocation and control through the DAC 10A (“interlock” will bediscussed below, and refers to the situation where the path from theaccess port to the transfer port is locked and the attachments theretoare permitted to communicate). FIG. 4 is a schematic illustrationdepicting the functional layout of processing component IDC. Processingcomponent IDC centralizes control and co-ordinates activities betweenaccess controller units APxU and RUy, 0≦x≦n and 1≦y≦m. Processingcomponent IDC utilizes its own central processing unit and localstorage, in addition to the ability to access registers and local memoryof all access controller units APxU and RUy. Processing component IDChas a separate local data bus DB and control bus CB which multiplexessignals (via APxU-CB, APxU-DB, RUy-CB, RUy-DB) from each accesscontroller unit APxU and/or RUy as needed to process and disseminatecontrols for data flow. Requests for service from access controllerunits APxU and/or RUy are received separately at an interface requestcontroller IRC and are prioritized and queued internally to ensureservice is granted. In particular, an access controller unit APxU and/orRUy issues a “link Request/command Process” signal R/P to requestclearance from processing component IDC to establish a path between anaccess port APx and a transfer port TPy, or to qualify the bus signalsrequired to safely process a command or message or subsequent datatransfers. Controller IRC records and prioritizes these signals R/P andinterrupts processing component IDC according to parameters set by theowner of DAC 10A. Processing component IDC responds to a signal R/P witha “grant/deny” signal G/D to indicate whether the required path ortarget is available and reserve the path access for the accesscontroller unit APxU or RUy.

Processing component IDC includes an access control interface unit ACIfrom which the owner of DAC 10A specifies the access controlrequirements needed for each link between each access port APx and eachtransfer port TPy. Unit ACI is located on processing component IDC toallow runtime permission modification without interfering with orneeding to completely reset DAC 10A. FIG. 5 is a conceptual diagram ofan access port permission table PT composed by unit ACI. Permissiontable PT is set by the owner (the party who controls DAC 10A) anddetails the source identifier SID of the system attached to each accessport APx. Permission table PT further defines the target identifier TIDof each target storage device SDy that is accessible to the access portAPx, the transfer port identifier tPID to which the target storagedevice SDy is attached, and the permission codes (perm) allowed from thesource identifier SID to the target identifier TID. Such permissioncodes may be taken from the following Table I:

TABLE I Access Permission Codes by DACs V 1° Write Read perm 0 0 0 0 noaccess (na) 0 0 0 1 read-only (r) 0 0 1 0 write-only (w) 0 0 1 1read-write (rm) 0 1 0 0 Owner with no access (*m) 0 1 0 1 read-only withshadow (*r) 0 1 1 0 write-only with shadow (*w) 0 1 1 1 full control (m)1 0 0 0 virtual-no access (na) 1 0 0 1 virtual-read-only (r) 1 0 1 0virtual-write-only (w) 1 0 1 1 virtual-read-write (rw) 1 1 0 0virtual-Owner of inaccessible share (*m) 1 1 0 1 virtual-read-only share(*r) 1 1 1 0 virtual-write-only share (*w) 1 1 1 1 virtual-Owner ofread/write share (m)Table I shows the possible permission codes for any attachment to anaccess port APx to access any storage device SDy on any type of DAC 10,not only a SCSI oriented DAC 10A. Depending on storage systemimplementation, some permission codes may be unused or may have expandedfunctionality. On a SCSI oriented DAC 10A, the na permission codeprevents a storage device SDy from being discovered or accessed from thegiven access port APx. On a RAM oriented DAC 10B (explained below), nadoes not make the attachment at a transfer port TPy inaccessible (anull-attachment is used instead), it notifies the hardware that asoftware component must pre-empt all access to that attachment. On theRAM oriented DAC 10B, the rw permission gives the attachment at accessport APx exclusive access to the attachment at transfer port TPy, withthe guarantee that elements of the attachment may only appear in theattachment of any other access port APx with the na or *m permission.The r permission guarantees that elements of the attachment may onlyappear in the attachment of any other access port APx with the na, *m,or same permission. Furthermore, it guarantees that only one otherattachment at an access port APx can access an element of attachmentwith the w permission. The w permission guarantees that elements of theattachment may only appear in the attachment of any other access portAPx with the na, *m, or opposite permission. On the SCSI oriented DAC10A, the w allows the access port APx to add to the contents of thestorage device SDy but not modify its existing contents, while rw allowscontent modification but not management of the storage units. On a RAMoriented DAC 10B, the *m permission is reserved for memory managementtransfer port TPy attachments only and refers to an attachment (accessport APx or transfer port TPy) which has been allocated to anotheraccess port APx. The hardware of DAC 10 treats access to an attachmentwith this permission as an access violation. On a SCSI oriented DAC 10A,*m is applied to storage devices SDy that are being intercepted by amaster access port attachment, or storage devices SDy whose “shadows”(explained below) are non-operational. On all DAC 10 that support theshadow feature, the permissions *r and *w indicate that the specifiedoperation (r or w respectively) is allowed at the target identifier TID,and that the opposite permissions (w and r, respectively) must bedirected at the shadow target. On the RAM oriented DAC 10B, the mpermission is reserved for memory management access ports and denotesfree transfer port attachments that may be allocated as access port ortransfer port attachments as needed. No element of such an attachmentmay appear in any other attachment whatsoever. On the SCSI oriented DAC10A, m allows the access port APx full access to the storage device SDywith the freedom to manage the storage device SDy. The virtualpermission bit (V) is included for historical compatibility for systemsthat use the virtual addressing techniques. The virtual permissionsoperate similarly to the first four corresponding permissions in thetable but DAC 10 uses the shadow field as an offset to find the intendedtarget. The shadow feature is not supported with virtual permissions andthe hardware ignores its permission bit setting. The virtual sharepermissions that use the 1⁰ bit are merely recommendations for softwareuse.

Referring to FIG. 5, for a SCSI oriented DAC 10A that supports a shadowfeature, the shadow target identifier sT and shadow transfer portidentifier sPID for locating and accessing the shadow target storagedevice SDy can also be defined in permission table PT. The accesspermission of shadow target storage device SDy is the implied oppositeof the primary target (see Table I). Target identifier TID and shadowtarget identifier sT must be different if they are both on the sametransfer port TPy. When the permission codes define a “virtual”permission, shadow target identifier sT and shadow target portidentifier sPID are used instead of target identifier TID and transferport identifier tPID for valid access modes.

FIG. 6 is a detailed schematic illustration of the components of anaccess controller unit APxU, where 0≦x≦n. Each access controllerinterface unit APxU detects when an attachment to its correspondingaccess port APx requires access to an attached storage device SDy,establishes the data-flow path required, issues a signal R/P toprocessing component IDC, and handles disallowed requests. Each accessport APx has its own unique port identifier APID which is used to routesignals back to the correct access port to ensure system integrity. Eachattachment at an access port APx similarly has a source identifier SID,which is the name or number used to explicitly define such anattachment; however, for purposes of access through DAC 10A, sourceidentifier SID is temporarily replaced during a “Selection” process by aunique source identifier USID (this addresses both the anonymity issueas well as the issue of different access port attachments having thesame SID). A port communication controller PCC is responsible forsupervising the activities through each established unidirectional pathof an effectively bidirectional bus, and controller PCC generates andrecombines signals to set up, maintain, and route signals through adata-flow path. Controller PCC also contains a processing unit capableof decoding and encoding SCSI signals so as to detect bus phases and torespond to a subset of the SCSI messages and commands.

As explained in further detail below, access controller unit APxUincludes an “Alert” module which determines when an attachment wishes tocommunicate through an access port APx, and alerts processing componentIDC of DAC 10A so that a path to the intended target can be established.The Alert module asserts an “interlock” signal, which is a SCSI-specificsignal set by the Alert module to indicate that the path between theaccess port and the transfer port has been locked and secured, therebyproviding an exclusive access path between the participating access portand transfer port; only then are the access port and transfer portattachments allowed to communicate. This condition may be described as“interlocked” for the purposes of the following description. When thesignal Interlock is released, controller PCC then frees the lockedaccess path(s) so that they may be reassigned to other transfer portsand access ports. This system allows for as many concurrent transactionpaths as the minimum of (n+1) or m. Each access control unit APxUmanipulates a data bus DB and a control bus CB.

FIG. 6 shows some components that are present only in access controllerunit AP0U, and not in any other access controller unit APxU, where x≠0.One of those components present only on access controller unit AP0U is a“Reset and Initialization” subcomponent RI, which performs reset andinitialization processing. DAC 10A treats subcomponent RI as anadditional attachment at access port AP0, and an optional reset port IDregister rPID contains the port identifier APID assigned to access portAP0 and assigns the same port identifier APID to subcomponent RI. A datashunt DS is also present only for access controller unit AP0U and is ashunt pathway used by subcomponent RI during a bus scan; data shunt DSreturns data bus DB and control bus CB to subcomponent RI when theaccess port buses are disabled during a “Reset” (as explained below).

FIG. 7 is a more detailed schematic illustration of subcomponent RI. Atpower-on to DAC 10A, subcomponent RI subsumes the role of controller PPCof access controller unit AP0U in order to gain access for scanning alltransfer ports TPy and access ports APx. The access functionality ofaccess ports APx is simulated by data shunt DS. Subcomponent RI also hasaccess to the permission table PT of unit ACI for initializingpermissions set by the owner of DAC 10A. Subcomponent RI also monitors areset line RST, which is generated only by AP0U in response to a “Reset”message from the owner of DAC 10A to perform a partial reset of alldevices attached to all transfer ports TPy.

FIG. 8 is a detailed schematic illustration of the components of accesscontroller unit RUy, where 1≦y≦m. Access controller unit RUy is almostidentical to access controller unit APxU, which makes sense since SCSIsystems allow target storage units to re-initiate connections. Theprimary difference is that access controller unit RUy triggers a“Reselection” process in DAC 10A, during which processing component IDCuses the temporary unique source identifier USID to retrieve the portidentifier APID and the original source identifier SID. Messages andcommands from a reselecting target are also filtered, in a mannersimilar to how source items are filtered by an interlocked APxU. A realimplementation may take advantage of the interlocked processing toincorporate access controller units APxU and RUy into one component,multiplexing operational differences as determined by theselection/reselection outcomes of a predetermined truth table.

SCSI DAC Initialization

As discussed above, subcomponent RI is reserved for the owner accessport AP0 and thus is present only in the access controller unit AP0U.The task of subcomponent RI is to generate a “Reset” condition atpower-on and process the Reset signal for the owner access port AP0only. The power-on reset condition forces the access controller unitAP0U into initialization mode.

FIG. 9 is a flowchart outlining the initialization process, whichprepares the DAC 10A for “Normal” operation. As shown in step 900, thefirst step of initialization is to power-on the DAC 10A. As shown instep 902, all access port buses are disconnected to prevent anyattachments from interrupting the process. As mentioned, subcomponent RIis situated in the path of the primary access port AP0, and acts as anattachment at access port AP0. Subcomponent RI gains full control of DAC10A by activating data shunt DS. As shown in step 906, subcomponent RIthen actively scans for storage devices SDy using their targetidentifiers TID at each transfer port TPy and builds an access table AT,as illustrated in FIG. 10. Subcomponent RI logs from unit ACI intoaccess table AT the port identifiers TPID and their access permissionsin respect of each access port APx, using the permission table PTillustrated in FIG. 5. Path selector tP creates a bi-directional pathbetween APx and SDy, and path selector sP creates a bi-directional pathbetween APx and a shadow device. Unassigned target identifiers TID areexcluded while assigned target identifiers TID that are missing orunresponsive are assigned the “No Access” (na) permissions at all accessports APx to prevent them from being targeted for use. The four-bitaccess codes, defined in Table I, are used when needed by the processingcomponent IDC to determine the signals necessary to control thedata-flow paths. Note that the na permission prevents any presentstorage device SDy from being discovered by a given access port APx andits attachment. DAC 10A may use the virtual permissions but thesepermissions are inherently less secure and less versatile than thenon-virtual permission set. For virtual permissions, the shadow targetidentifier sT and shadow target port identifier sPID are actually usedto select a target although the target identifier TID is used by thesource and used for the access validation. For the rest of thisdiscussion, the virtual permissions must be considered operationallyidentical to non-shadowed permissions with the stated target selectionexception.

SCSI DAC Normal Operations

After the power-on Reset and Initialization process illustrated in theflowchart in FIG. 9, “Normal” operation (r/N) is asserted andattachments are allowed to access storage devices SDy controlled by DAC10A. Attachments at access ports APx are expected to perform an initialscan to determine what, if any, SCSI storage devices SDy are present inits environment. Such a scan should be issued at system start-up unlessthe operating system (OS) can dynamically install devices. DAC 10A willnot respond if a scanned target is not attached to DAC 10A or notallowed to be accessed by the attachment or from its access port APx andthe attachment will timeout unless the required storage device SDy ispresent on its local bus. Thereafter, a timeout during SCSI selection ofan accessible storage device SDy controlled by DAC 10A should only meanthat the target is busy. Attachments that encounter such timeouts shouldretry for a reasonable number of attempts until the target can respondor is assumed to be malfunctioning. Additional logic can be added toforcibly disconnect a communication path (by initiating a targetdisconnect to the source and a source disconnect to the target) after atime interval. DAC 10A could force the target to wait beforereconnecting by ignoring it (allowing it to timeout whenever it attemptsa reselection) for a given time interval. DAC 10A would reinitiate theconnection when all allowed attachments have had a fair chance toconnect to the storage device SDy, or it can allow the target access toa path when the waiting interval has expired.

The following is a step by step description of how DAC 10A processes acommunication event from a given secondary access port APx, 1≦x≦n, to agiven target on a given transfer port TPy. The discussion focuses on oneparticular pair of these ports but is applicable to any pair of accessport APx and target port TPy on DAC 10A. When the port pair involvingthe primary access port AP0 would differ in function, the difference isaddressed at the earliest possible moment in the discussion below. Notethat the discussion will be applicable to all communication between anyaccess port APx and any transfer port TPy unless otherwise specified.

SCSI DAC Path Selection

When an attachment, for example at access port AP1, attempts to access astorage unit, for example storage device SD2 at transfer port TP1, aunique path must be established to allow this communication. As shown inFIG. 3, access to storage from access port AP1 is controlled by accesscontroller unit AP1U and access to data from storage device SD2 isregulated by access controller unit RU1 of section C. Together, thesecomponents must determine when access is being requested and facilitateaccess if it should be granted. Component AP1U is shown in greaterdetail in FIG. 6 (although it should be noted once again thatsubcomponent RI and related components in FIG. 6 are not a part ofaccess controller unit AP1U) and access controller unit RU1 is shown ingreater detail in FIG. 8.

Each access controller unit AP1U and access controller unit RU1 has anAlert module that detects and negotiates a request for access; theoperation of the Alert module is illustrated in the flowchart in FIG.11. The Alert module is implementation specific and must be adjusted tosuit each implementation. In FIG. 11, BSY, SEL, ATN and I/O are SCSI bussignals that can be snooped to determine the state of the bus. The Alertmodule then generates signal R/P to notify DAC 10A when an access portor transfer port attachment wishes to access DAC 10A as a pathway forcommunication. The Alert module also generates a signal Interlock tonotify its parent access controller unit APxU or RUy that it has beenassigned rights to a given data path, and negates it when the path hasbeen relinquished. Note: side-processes with no visible exit indicate atriggered process in processing component IDC. Distribution of suchprocessing allows for maximum utility of resources.

The Alert module is critical to the efficient functioning of DAC 10A andshould be implemented as a pure logic circuit (i.e. function not fullyimplemented in software). The Alert module depends on the processingmodules of processing component IDC. As shown in step 1120, when theAlert module asserts a signal R/P with the signal “Lock” negated,processing component IDC enters the “Seek Target” process illustrated inmore detail in the flowchart in FIG. 12 to determine if access shouldand can be granted, and if the path can be established (the target isnot otherwise engaged).

FIG. 12 is a flowchart depicting the actions of processing component IDCcomponent to signal R/P asserted by the Alert module to locate andaddress accessibility to a requested target system. Processing componentIDC. validates path availability and use rights of the involved ports bythe target and source units. The process utilizes permission records ofaccess table AT (shown in FIG. 10) and routing records of a transitorystack TS (explained below), depending on whether signal R/P was assertedby an access controller unit for an access port APx or for a transferport TPy. Port state (port.state) information is derived both frominternal records of processing component IDC as well as the Lock statusof the given port since devices external to the port can use theexternal SCSI bus.

Stack TS is a transitory stack in the form of an array of records usedto store the path and bus states for data transfers that terminatewithout being completed or aborted. FIG. 13 shows the utilization of adynamic allocation table for stack TS. It is used to generate a uniquesource identifier USID to support the SCSI communications feature ofdisconnection and reconnection. It also enables a fully populated DAC10A to host access ports APx with attachments that have the same sourceidentifiers SID and allow each to access any or all transfer port TPyattachments without conflict. The elements of the allocation table arethe access port identifier APID, the source identifier SID, flags forhistorical control of data and control bus signals (sigs and sh), and aflag (tag) to note whether a particular unique source identifier USIDhas been allocated or not. The unique source identifier USID, firstgenerated as a replacement for a presumedly non-unique source identifierSID is also the index for locating the source identifier SID and itsrelated counterparts.

The flowchart in FIG. 14 depicts how DAC 10A uses internal routingcontrols to enforce port usage and access transparency; in particular,it depicts the internal dynamic access routing control by processingcomponent IDC. Each unique connection out to a terminal unit is assigneda unique source identifier USID that is known only to DAC 10A and isused by DAC 10A to replace the original source identifier SID. Thisunique source identifier USID is used to locate the real source for anyreply it should receive, and for connection re-establishment by thetarget.

For access port AP1, only the Selection (Sel/resel) phase is recognizedand will be processed only if permissions allow it, and a unique sourceidentifier USID can be allocated in accordance with the flowchart inFIG. 14. A target may be inaccessible because it is being accessed byanother access port APx, or its transfer port bus is in use by someother device in its local system. As shown in FIG. 11, DAC 10A is awareof all busy local buses since access controller unit APxU or RUy willhave invoked the Seek Target process and received a Deny access (g/D)from the processing component IDC, to which it responded by assertingthe signal “Lock” until the external bus is released. For a reversedconnection (where storage device SD2 attempts to reconnect to theattachment at access port AP1) only the Reselection (sel/Resel) phase isrecognized and will be processed if a valid unique source identifierUSID was already allocated to it. Since all access port and transferport local buses are isolated, DAC 10A never contends during the“arbitration” process shown in FIG. 11, thus a timeout is the onlymanner by which to respond to an unavailable path, and the proper mannerby which to respond to the intrusive attempt of making a prohibitedaccess. As already stated, any condition that prevents the successfulallocation of a path will cause processing component IDC to issue asignal g/D (meaning “access denied”), or else the processing componentIDC will assert a signal G/d (meaning “access granted”). Aside fromasserting signal Lock in response to signal g/D, the Alert module alsoallows a SCSI Sel/Resel timeout to occur after which, the attachment mayretry its access or abort its attempt. In the case of signal G/d, theAlert module will issue signal Interlock to controller PCC, activatingit and allowing it to assert the path which was passed to it byprocessing component IDC. Processing component IDC will also assertsignal Lock to the desired Alert module to notify it that its controllerPCC must participate in the communication path. Once signal Interlock isissued, the Alert module maintains signal Interlock until the busbecomes free (signals BSY and SEL are negated).

SCSI DAC Access Verification

With signal Interlock asserted, controllers PCC of access controllerunit AP1U and access controller unit RU1 are activated and will mediateall activity between the source access port AP1 and the target storagedevice SD2, as depicted in the flowchart in FIG. 15. First, controllerPCC asserts path selectors tP and sP to activate the individualunidirectional path buses controlled by the access controller unit AP1Uand access controller unit RU1. The initial state for controller PCC isthe Sel/Resel mode in which controller PCC allows the target and sourceto complete the Selection process unimpeded except to replace sourceidentifier SID with the unique source identifier USID and vice versa.For all other exchanged commands or messages, access controller unitAP1U will replace all references to source identifier SID with uniquesource identifier USID before allowing them to reach the target.Likewise, access controller unit RU1 will replace unique sourceidentifier USID instances with the true source identifier SID before itreturns any messages from the transfer port TPy. Processing oftransactions on an established path through DAC 10A is summarized inTable II:

TABLE II Sub-component oPC & iPC of Components AP × U & RUy from,Section C of FIG. 3, bus activity controls and interactions. InterlockMSG ∪ C/D SEL I/O Perm mode DB CB AP × U Result RUy Result NegatedInactive Inactive Asserted 0 0 0 r DATA I M historical pass AP × UAsserted 0 0 0 *r DATA {circumflex over ( )}P {circumflex over ( )}P{circumflex over ( )}write sTx pass AP × U Asserted 0 0 0 w DATA P Pwrite SDx pass AP × U Asserted 0 0 0 *w DATA P P write SDx pass AP × UAsserted 0 0 0 rw DATA P P write SDx pass AP × U Asserted 0 0 0 m DATA PP write SDx pass AP × U Asserted 0 0 1 r DATA P P pass RUy read SDxAsserted 0 0 1 *r DATA P P pass RUy read SDx Asserted 0 0 1 w DATA I Mpass RUy historical Asserted 0 0 1 *w DATA {circumflex over ( )}P{circumflex over ( )}P pass RUy {circumflex over ( )}read sTx Asserted 00 1 rw DATA P P pass RUy read SDx Asserted 0 0 1 m DATA P P pass RUyread SDx Asserted 0 1 0 r Sel P P selection interlocked Asserted 0 1 0*r Sel P P {circumflex over ( )}selection {circumflex over( )}interlocked Asserted 0 1 0 w Sel P P selection interlocked Asserted0 1 0 *w Sel P P {circumflex over ( )}selection {circumflex over( )}interlocked Asserted 0 1 0 rw Sel P P selection interlocked Asserted0 1 0 w Sel P P selection interlocked Asserted 0 1 1 r Resel P Pinterlocked reselection Asserted 0 1 1 *r Resel P P {circumflex over( )}interlocked {circumflex over ( )}reselection Asserted 0 1 1 w ReselP P interlocked reselection Asserted 0 1 1 *w Resel P P {circumflex over( )}interlocked {circumflex over ( )}reselection Asserted 0 1 1 rw ReselP P interlocked reselection Asserted 0 1 1 m Resel P P interlockedreselection Asserted 1 0 r C/M *Q *Q filter writes pass AP × U Asserted1 0 *r C/M *Q *Q {circumflex over ( )}write to sTx pass AP × U Asserted1 0 w C/M *Q *Q filter reads pass AP × U Asserted 1 0 *w C/M *Q *Q{circumflex over ( )}read from sTx pass AP × U Asserted 1 0 rw C/M *Q *Qallow/except pass AP × U Asserted 1 0 m C/M P P allow-all pass AP × UAsserted 1 1 r C/M *Q *Q pass RUy filter reads Asserted 1 1 *r C/M *Q *Q{circumflex over ( )}pass RUy {circumflex over ( )}allow/except Asserted1 1 w C/M *Q *Q pass RUy filter writes Asserted 1 1 *w C/M *Q *Q{circumflex over ( )}pass RUy {circumflex over ( )}allow/except Asserted1 1 rw C/M *Q *Q pass RUy allow/except Asserted 1 1 m C/M P P pass RUyallow/all (I = isolation, P = permit use, M = modify controls,{circumflex over ( )} = shadowing, Q = filter applied)Table II shows the state of the primary control signals and theiroutcomes with respect to control of interacting components of DAC 10A. Asignal Interlock is generated by the Alert module as the master controlfor any communication to be initiated or continued. Signals MSG, SID,SEL and I/O are SCSI-specific control bus CB signals. The indicator modefollows the SCSI standard, and is indicative of the active state of DAC10A (see FIG. 18) with respect to communicating phases between theaccess port APx and transfer port TPy. “DB” and “CB” in Table IIrepresent the general state controls applied to the data bus DB andcontrol bus CB respectively. “APxU Result” and “RUy Result” are theoutcomes from the perspective of the access controller unit APxU andaccess controller unit RUy and reflect the co-operative link betweenthese units. The Interlocked result indicates that the access controllerunit APxU and access controller unit RUy have been recruited, and“historical” indicates that the access controller unit's output stateshave been held unchanged except as dictated by control bus CB,effectively blinding the source of the target of the action of theother. Virtual permission implementations are identical to that of thecorresponding r, w, and rw permissions in this table.

To process commands or messages, controller PCC will blind the receiverto the event by latching the bus state, and respond as appropriate toreceive and queue the entire message. As soon as a sufficient portion ofthe command/message has been queued, controller PCC will submit it forapproval to processing component IDC by asserting signal RIP. Inresponse to signal R/P with signal Lock negated, processing componentIDC enters the “C/M Process” procedure illustrated in the flowchart inFIG. 15 to evaluate the queued C/M for its intended purpose.

The flowchart in FIG. 15 depicts the formal operation process of DAC 10Afor a particular access port to transfer port communication session. Thecombined operation of the access controller unit APxU, access controllerunit RUy, and processing component IDC are required to facilitate thisprocess. Access controller unit APxU handles communications from theaccess port APx to the target device and access controller unit RUyhandles communication between the transfer port TPy and the sourceattachment. Processing component IDC is invoked only to determine how toprocess restricted messages or commands (C/M Process) and to notify itthat the communication path can be released. Predefined processes arethose built into both target and source systems requiring no furthermediation from DAC 10A than those depicted. The flowchart in FIG. 15demonstrates that DAC 10A interferes with the transmission of messagesand data only as necessary to preserve the access transparency andpermission conformity.

The flowchart in FIG. 16 illustrates how processing component IDCfilters restricted commands and messages (C/M) when requested by accesscontroller unit APxU or access controller unit RUy. Processing componentIDC ensures that 1⁰ and shadow states are synchronized for any datatransfer event by ensuring that both are tagged to receive C/M whennecessary. Processing component IDC also assures that no target devicereceives C/M that would allow the attachment to exceed its accessprivilege. It does this by substitution or rejection of the C/M, or bypredicting data transfers and the control signal manipulations that willavert the possibility of the breach occurring. It records thesepredictions and controls so that they will be enforced even during adisjointed transfer session. Processing component IDC returns controlsignals, by way of the C/M queue record, that indicate to controller PCChow the C/M should be dealt with (C/M.1⁰=allow access via path(tP),C/M.sh=allow access via path(sP), or C/M.rv=blind target and respond tosource).

The C/M Process will update the queue processing flags to dictate theresultant action to be taken by access controller unit AP1U or accesscontroller unit RU1 as required to complete the transaction.Declassified C/M (allowed) are allowed to all systems and may bestreamed concurrently to the target and its shadow when necessary.Access port attachments with the m permission may process all restrictedC/M, even those which are privileged. Privileged commands are denied toall other access port attachments and the access controller unit APLU oraccess controller unit RU1 will respond as appropriate to placate thesource and nullify the C/M effect while withholding the C/M from theintended target. C/M which specify upcoming data transfers may besubstituted, or allowed as dictated by the perm restrictions, and theprocessing component IDC will update the stack TS record illustrated inFIG. 13 with the bus control forecasts required to enforce the permrestrictions during the transfer. In particular, privileged C/M arethose whose effects may directly or indirectly affect pending tasksinitiated from other sources, or modify the prescribed operation of thetarget. Restricted control C/M are those, which are direction specificand thus must be directed to the target or its shadow when appropriate.All data transfer C/M are restricted and are specifically those whichdirect the target to begin or continue a data (as opposed to control andstatus) transfer. These are restricted because the target to which theywill be delivered or the manner in the transfer will be processed mayneed to be modified to meet the perm restrictions.

SCSI DAC Access Control

Once inspected, controllers PCC of access controller unit RU1 and ofaccess controller unit AP1U co-operate to act on the queued C/M asdirected by processing component IDC. When directed to discard (C/M.rvie both C/M.1⁰ and C/M. sh negated) the C/M, controller PCC invalidatesthe C/M queue and initiates an appropriate response to the sender.Concurrently, the complementary controller PCC disables the target's busat transfer port TPy and activates its return to the sender so that thesender can receive the response. For all other processing directives,the sender is blinded (output to its bus is latch by lpath(xx)) whilethe C/M is forwarded to the receiver (recall the C/M may have beensubstituted by processing component IDC). When a receiver and its shadowmust concurrently receive a C/M, their paths are activated and they canreceive the forwarded C/M concurrently. Conversely, when the C/M is tobe forwarded to only the target or only its shadow, the other's path isblinded during the C/M forwarding.

Finally, when a C/M that specified a data transfer has been processed bythe receiver and the data transfer is about to begin, the respectivecontroller PCC consults stack TS and asserts the recommended buscontrols to ensure that the transfer does not overstep the permspecifications. Table III summarises the possible bus controls (sigs orsh) set in stack TS by processing component IDC:

TABL III F rmat and use of the sigs record (sigs.DBx:CBy) used by theSCSI DAC. Note: sigs and sh are identical records but are used toindicate whether the 1° or the shadow (resp ctiv ly) is the target DB CBsymbol Data mode effect 00 00 DBi:CBi Foil attempt to read storage withw perm. DAC allows read but blinds reader by sending null data toreceiver and collecting data from source. Source and receiver drive CBsignals 00 01 DBi:CBp Foil attempting to write storage with w, *w, rw orm perm after system compromise has been pronounced. DAC substitutedwrite with read and collects data from source. Source and receiver datapaths are isolated. 00 10 DBi:CBs Foil attempting to read storage withr, *r, rw or m perm after system compromise has been pronounced. DACsends data to receiver. Source and receiver data paths are isolated. 0011 DBi:CBi/o Foil attempt to write storage with r perm. DAC substitutedwrite with read and collects data from both source & receiver. CB isengaged but DAC inverts direction control signal during transfer. 01 XxDBp Allow attempt to read or write storage with r, w, rw or m perm.Source and target are allowed to transfer data in the allowabledirection 10 Xx DBs Allow attempt to read or write storage with *w or *rperm. Source and target's shadow are allowed to transfer data in theallowable direction 11 Xx clear Uninitialized, no current or pending ordata transfer predicted. xx = irrelevantTable III explains the usage of the sigs and sh records that are used torecord predicted data transfer mode handling by access controller unitAPxU and access controller unit RUy. The sigs and sh are identicalrecords but are used, respectively, to indicate whether the 1⁰ or theshadow is the target. Each record has two fields, field DB whichcontrols the state of the data bus DB, and field CB which controls thestate of the control bus CB, communication control signals, and theoperations of access controller units APxU and RUy indirectly. In TableIII, “symbol” represents the manner in which the field selection will bedenoted, and “Data mode effect” explains how and why the controls areapplied. The sigs record is applied only during a SCSI “data mode” event(see Table II). For the purpose of Table m, the r, w, and rw permissionsare identical to the implicated r, w and rw permissions.

Processing component IDC allowed a Read C/M issued by the sender to bedelivered unmodified to a w storage unit. However, the ensuing datatransfer is controlled by isolating the data bus DB between the senderand the receiver, and the sending controller PCC holds the receiver'sdata as null for the duration of the transfer. Both sender and receivercontrol buses CB are connected and synchronized so that the C/M senderbelieves the transfer is occurring as requested. In addition, processingcomponent IDC substituted the Write C/M to a r storage with a Read C/Mbefore delivery to the receiver. During the ensuing data transfer, thedata buses DB are isolated and the control buses CB are connected butthe I/O direction signal is inverted so as to appear as expected by theoriginal C/M sender. For a DAC 10A that supports the shadow feature, thesame inappropriate transfers (read and write) to *w and *r storagesrespectively, actually proceed normally as if allowed, but the transferis performed with their shadows instead. DAC 10A uses these bus controltechniques to negate the need to emulate the entire data transferprocess, which can include the ability to support Disconnection andReselection. SCSI systems can be directed to Disconnect, ie pause thetransfer and release the bus. Of course this requires that the storagedevices reconnect and Reselect the source(s) at some point later tocomplete the transfer. This would require extra circuitry and processingpower to save and restore numerous pending transfers and to properlyschedule reconnection to potentially many different sources. By allowingthe target to do an actual transfer (even thought it may be in the wrongdirection) and simply control whether the data arrives where intended,DAC 10A can support true transparency with relatively low overhead andcomplexity.

SCSI DAC Path Dissolution

A communication session ends when the devices complete their transfer(or DAC 10A tricks them into disconnecting if a connection time limit isimplemented) and releases the bus. Controller PCC detects this by notingwhen a target issues the “Command Complete” or “Disconnect” message tothe source. In response to a Command Complete C/M, and before requestingrelease of the path, the data transfer control flags sigs and sh arecleared to disable all further data transfers that may arise withoutapproval, and the processing component IDC is invoked to releaseresources of DAC 10A. The Disconnect-in C/M leaves the data transfercontrols intact and simply request that the path be released. In eithercase, processing component IDC is alerted of the impending bus releaseby controller PCC asserting signal R/P while signal Lock is asserted.This causes processing component IDC to enter the “Free USID” procedureillustrated in the flowchart in FIG. 17 to determine whether to releasethe unique source identifier USID for reuse.

The flowchart in FIG. 17 depicts the operations required to release anyunique source identifier USID for later reuse. The unique sourceidentifier USID is only be released if it belongs to the requesting portand if that port has no outstanding transfers in place. Regardless ofwhether the unique source identifier USID can be released thecommunication path can be released for reuse.

The other resources that were recruited for the path (the access portAPx, transfer port TPy, and the shadow transfer port) are released toallow other systems to gain access to them. This ends the involvement ofprocessing component IDC and controller PCC. The access controller unitAP1U will disable its processing of the inputs from the access portsAPx, RU1 and will deactivate the paths to the target (path( )) and theshadow (spath( )), at which point both are can longer act in unison.Their Alert modules linger in a cycle, awaiting the indication thattheir attachments have released the bus before they release signals Lockand Interlock and re-enter the bus free state.

SCSI DAC Access Transparency and Source Identification

Note that at no time can an attachment address DAC 10A nor notice anydifference in the function of its storage systems, while DAC 10A canredirect and substitute C/M exchanged between attachments. Thus DAC 10Ais truly a bus device. Furthermore, DAC 10A can do what is necessary toavert an access breach without the attachments being able to determinethat their communications are being manipulated (stealth technology).DAC 10A enforces transparent access by ensuring that each communicationpath is completely private. In this manner, no attachment at any portcan ever detect communication between any other attachments even thoughthere might be several concurrent paths established (i.e. port snoopingis now ineffective). Each target can be shared among multiple sources,each accessing the target with different permissions. Each port can beprogrammed to accept only a particular attachment ID, thus the physicalport connection now attaches an unmodifiable location dimension to allIDs or other modes of identity validation mechanisms.

SCSI DAC Access Control Extension

DAC 10A can be designed to inspect more than just the control signalsand C/M, using the same techniques used for C/M inspection to inspectthe data being transferred. This may introduce small response lags whenthe attachments change phases, but data transfers can proceed at fullspeed provided that controllers PCC are supplied with sufficient memoryto buffer the transported information. This kind of monitoring can alsopool the received transmissions at some collection point in order togain the luxury of offline logging and inspection under more processingpower. This adaptation is possible because it will still not require DAC10A to support the disjointed transfers since DAC 10A can allow thetarget and source to operate as given by the SCSI specifications.

Feature: DAC Shadows

An added feature of DAC 10A is the use of shadowing of storage units toadd a further element of access control and offer auditing capabilities.A shadow storage is allocated from one of the attached storage devicesSDy and is assigned to be the shadow of any other storage device SDy viaprogramming of unit ACI. Shadowing is activated by the assignment of theshadow permissions, *r or *w, to a primary storage unit (1^(o)). Whenpermission is assigned to the 1^(o) of a shadow pair, the declaredshadow is automatically assigned the opposite permission. This impliesthat the rw and m permissions cannot be shadowed since they have nofunctional opposites (C/M restricted at rw storage are too dangerous tothe shadow). Shadow storages have their own unique ID by which they canbe explicitly addressed on DAC 10A, and which must be made unusable byaffected access ports APx. In this manner, the attachment will be unableto distinguish the *r or *w 1^(o) storage from a r or w storage unit.Access to the shadow is controlled purely by DAC 10A and on invocationof the restricted permission being attempted at the 1⁰ storage unit.Processing component IDC signals controller PCC to make the path switchbefore forwarding/processing C/M, and for restricted data transfers.Switching entails latching of the signals presented to the 1^(o) storageunit (at a bXXn, as shown in section D^(o) of FIG. 3), with a concurrentselection of the shadow's path (also via a bXXn, as shown in sectionD^(o) of FIG. 3). Reservation of the shadow path by processing componentIDC and activation of the shadow path when signal Interlock was assertedensures that the path is readily available. Shadows can help tostabilise restricted environments such as read-only OS drives, and imbuethe affected attachment with immunity to OS manipulations, preventingattackers from modifying or otherwise controlling the attachment.Shadows are also excellent tools for logging true-positive intrusionattempts, leaving an attacker with no way to prevent the logging and norecourse once the log has been made. This makes shadows ideal fortriggering real-time intrusion alarms. Aside from being used forintrusion detection, shadows passively absorb viruses and trojans whenthey attempt to install themselves onto disks, and absorb the effects ofviruses and web-page defacing, events that would destroy or otherwisemodify stored information.

Overall Operation of SCSI DAC

In summary, the state diagram in FIG. 18 shows the full operation of DAC10A. After Reset/Initialization, each state element is valid for anyinitiating attachment and involved circuitry necessary to establish anaccess port to transfer port connection and mediate a communicationevent between a source and target attachment.

RAM Oriented DAC

The following description applies the general principles discussed aboveto an embodiment of DAC 10 suitable for random access memory (RAM).

Within computers, programs often interact in a manner similar to themanner in which computers interact on a network. There are programs thatoffer services to other programs (server-types), and there are programswhich request services from other programs (client-types). This is theessence of the client-server model of networks and, not surprisingly,the problems that networks have with respect to sharing storage alsoexist within computers. However, the methods used to exploit theseproblems are complicated by the nature in which RAM is used, which inturn complicates the apparent task of the RAM oriented DAC 10B.

Problems to Solve

For a DAC 10B to adapt RAM for use as a secure storage medium, severalproblems arise, regarding the manner in which RAM is used by thecomputer under normal conditions, that serve as the basis for securitybreaches. Unlike the SCSI oriented DAC 10A, which in essence separatesthe control of disk storage from the computer, it is not applicable tosay that the RAM oriented DAC 10B separates the control of RAM from thecomputer or the CPU. RAM is, in fact, an integral part of the computer,i.e. without RAM the computer, as we know it, cannot exist or function.The difficulties are ones of conception:

-   -   1. While the computer is the processing device and disk is the        storage device for networks, inside the computer the CPU is the        processing device and RAM is the storage device. The RAM        oriented DAC 10B needs to protect memory from illegal accesses        by the CPU.    -   2. The CPU is not on par with the computer as a processing unit,        it requires a program in order to attain the same level of        functionality. However, programs exist in memory, the very        storage device that a RAM oriented DAC 10B needs to protect        secure from illegal access by processing systems. Several        programs may exist in or use memory at the same time, thus a RAM        oriented DAC 10B must protect programs from illegal access made        by other programs.    -   3. Programs and data are essentially the same with respect to        memory (the storage units for computers) and with respect to the        CPU (the processing unit of computers). Neither the location nor        the time of existence of programs or data in memory can be        pre-determined. A RAM oriented DAC 10B must allow for the        dynamic definition and redefinition of memory areas as programs        or data, and must maintain and protect this partitioning for as        long as is needed.    -   4. Corruption of programs can have the same effect on the        security of the program's data (stored information for programs)        as illegal access to the data itself, so the RAM oriented DAC        10B must protect programs from themselves as well as protect        their data from other programs.

RAM DAC Characteristics

Thus, transparent sharing of RAM storage implies both the transparentusage of memory for data and program as well as the transparent sharingof stored data between programs. Programs and their data reside inmemory so a DAC 10 applied to RAM will provide program instructionpartitioning and access protection to the their datasets in much thesame manner as the SCSI oriented DAC 10A provides partitioning betweencomputers on networks by applying access protection to storage. RAM usesseparate address buses and data buses DB; thus the processing of a DAC10B as a RAM bus will be much simpler than in respect of the SCSIoriented DAC 10A. However, the RAM oriented DAC 10B requires moreflexibility and involves more complex techniques because of the dynamicnature of memory configurations required by a system at any instance intime. Memory is arranged as one contiguous range of IDs wherein eachmemory unit (bit) has its own unique ID. Industry standards have definedslightly larger groupings of bytes (8 bits), words (2 bytes), and doubleand quad words (4 and 8 bytes) but, to date, the memory efficiency ofsoftware decreases dramatically with the size of the grouping. Thus thebyte remains the atomic memory unit. This arrangement creates a hugeproblem because memory in a computer can number in the millions orbillions bytes. It is therefore unfeasible if, not impossible, tocontrol access to each unit individually, as was possible with the SCSIoriented DAC 10A. The physical compartmentalization of many storageunits onto one storage device, as with SCSI hard drives, would make itideal for assigning an ID to each device. This is what enabled the SCSIoriented DAC 10A to provide physical access points between devices asaccess ports and transfer ports. The granularity of memory and thedynamic allocation of memory precludes the use of physical access portsand transfer ports and necessitates a logical representation of the samefor the RAM oriented DAC 10B. And while the access port attachments arephysically and operationally distinct from the attachments at anytransfer port in the SCSI oriented DAC 10A, there is currently no cleardistinction between any parts of the memory structure within a computer.Thus some logical construct must be created to yield the functionalityof the DAC 10 as depicted in FIGS. 1 and 2.

RAM DAC APs and TPs and their Attachments

To this end, we will define an access port attachment (or“AP-attachment”) as a disjoint program fragment. Each complete programis assigned a unique ID when using DAC 10B. This program ID becomes theaccess port indentifier APID for the access port AP to which the programis attached and to which DAC 10B associates its AP-attachments. EachAP-attachment is defined by a memory range used to contain instructionsand to which DAC 10B will only allow access for program instructions.Each AP-attachment should encompasses program instructions that arefunctionally related (a program thread), or are contiguously grouped butnon-contiguous with respect to other attachment of the same access portAP.

Transfer ports TP are used to group data ranges (TP-attachments) thatare assigned to, and associated with each AP-attachment. A transfer portidentifier TPID is the semi-unique ID assigned to each transfer port TP,and each transfer port TP must be associated with at least oneAP-attachment at the access port AP in question. The access port AP ingeneral, and the specific AP-attachment in particular, may access theTP-attachments as data.

FIG. 19 is a general schematic illustration showing the logicalre-arrangement of RAM memory effected by use of RAM oriented DAC 10B toachieve the functionality of DAC 10. As illustrated in FIG. 19, programs“connect” to DAC 10B at access ports AP and data “connect” to DAC 10B attransfer ports TP; by defining access ports and transfer ports and theirattachments in this manner, a logical arrangement results that parallelsthe arrangement for the general DAC shown in FIGS. 1 and 2. Access isallowed vertically and only between specific programs and their assigneddata. This horizontal separation between program code and data-setsallows DAC 10B to enforce access permissions between access ports AP andtransfer ports TP. In addition, the vertical separation that existsbetween the groups of program plus accessible data allows DAC 10B toprovide unbreachable access to private data, transparent access toshared data, and total disjunction between programs. In Multi-CPUenvironments of all types, this logical configuration is also achievedwith respect to the CPU and its attendant program and data sets.

RAM DAC Required Components

Obviously then, each access port AP and each transfer port TP must bedynamically allocated at runtime because each access port AP will attacha program, and each transfer port TP will attach some data-set belongingto the program. The dynamic allocation of memory to programs and datanecessitates the flexibility or runtime programming of this type of DAC10B, and the ability to restrict programming access to a select fewprograms in order to assure the required security. As such theembodiment of DAC 10B involves a core hardware component that handlesthe predictable security functions, and separate, supportive softwarecomponents (the boot-driver and OS-driver) that handles the programminginterface and the unpredictable aspects of computing. Onlysecurity-specific aspects of the software will be discussed here, sinceother aspects will vary according to the requirements of systemdesigners, and those aspects are unimportant to the concept of the DAC10B.

An n-way range lookup table APRT functions as an “AP Request Translator”to validate whether an address falls within the instruction ranges ofthe current active access port AP on DAC 10B. Similarly, an n-way rangelookup table TPRT functions as a “TP Request Translator” to validatewhether an address falls within the data ranges of the currently activetransfer port TP on DAC 10B.

FIG. 20 is a state diagram showing the overall operations of thehardware component of DAC 10B. To convert the logical separation ofmemory ranges that define AP-attachments and TP-attachments intophysical separation at runtime, each and every memory access must bevalidated and enforced. However, unlike the SCSI oriented DAC 10A, whichmust interpret and react to commands being sent between access ports APxand transfer ports TPy, the RAM oriented DAC 10B can, but need not,interpret CPU instructions in order to detect inappropriate memoryaccess attempts. Because the security problems that exist in single CPUsystems also apply to multi-CPU systems (that is, the programs are thetrue processing entities and the source of security risks), theremaining discussion will therefore not distinguish between single andmulti-CPU environments nor DACs 10B.

RAM DAC Hardware

FIG. 21 is a detailed schematic illustration of the components of DAC10B. In particular, FIG. 21 shows the means by which all access tomemory can be partitioned into program specific accesses for monitoringand control. Sections A₀ and A₁ are functionally similar to section A onthe SCSI oriented DAC 10A, logically representing the access port pathsfrom which attachments make access requests to memory. Likewise,sections B₀ and B₁ logically represent the transfer port paths throughwhich data is accessed. Section C is similarly the main processingsection of DAC 10B. AP-attachments and TP-attachments on DAC 10B mustshare the same physical address and data paths through DAC 10B. As aresult, sections C₁ and C₂ are used to discriminate between access portand transfer port accesses while section C₃ directs and controls theinternal data paths for all incoming and outgoing signal buses accordingto the access permission. In multi-CPU environments where the CPUs sharethe entire memory space, sections A, and the CPU attachment interfacebCB can be replicated to accommodate each CPU. To adapt discrete memorymulti-CPU systems, sections A and B, the table APRT, the table TPRT, andregisters of DAC 10B, as well as bCB must be replicated such that eachA-B-APRT-TPRT-DAC registers-bCB set is private to each CPU. An accesscontroller AC in section C₃ would serve as the interconnecting mediumand central regulatory component similar to the processing component IDCof the SCSI oriented DAC 10A.

In effect, FIG. 21 represents the hardware implementation of DAC 10Bthat will segregate memory, as shown in FIG. 19, into m TP-attachmentswhich may be shared among n AP-attachments. This hardware is dynamicallyprogrammable and will assert and maintain the memory segregation untilit is no longer required. The hardware is designed to be inserted intothe bus paths between a processing unit and the memory resources of acomputer. The hardware of DAC 10B includes:

-   -   1. an address bridge bus bAB that allows transfer of addresses        from the Address' bus to controller AC and from controller AC to        the Address bus (bus bAB also facilitates the simultaneous        address transfers from the Address' bus to the Address bus shown        in FIG. 21 and between internal components of DAC 10B);    -   2. a data bridge bus bDB that allows the transfer of data        between DAC 10B and either the Data bus or the Data′ bus (bus        bDB also facilitates simultaneous data transfers between the        Data bus and the Data′ bus and between-internal components of        DAC 10B);    -   3. an address transfer bus bAT, which is a common data bus        internal to DAC 10B that transports data between controller AC        and table TPRT or table APRT, and between controller AC and bus        bAB and from bus bAB to table TPRT or table APRT; and    -   4. a data transfer bus bDT, which is a common data bus internal        to DAC 10B that transports data between components of DAC 10B        and between DAC 10B and bus bDB.        Bus bAB and bus bDB allow permitted accesses to proceed to        completion, while bus bAT and bus bDT are freed for use by DAC        10B to perform “housekeeping” functions concurrently. The table        APRT and table TPRT are implemented as n-way caches that can        perform all n range comparisons in parallel. This measure        increases the efficiency of DAC 10B and minimizes the latency        introduced by access validation.

An access port table DAP comprises cache memory dedicated to being usedas access port definitions in DAC 10B, while a transfer port tablecomprises cache memory dedicated to being used as transfer portdefinitions in DAC 10B. The cache used as table DAP and table DTP can beimplemented as a single unit, but are shown as separate modules in FIG.21 only for sake of clarity. The cache and registers of DAC 10B arememory mapped and accessible to software in whose transfer ports TP theyare defined.

RAM DAC Hardware Registers

FIG. 22 is a diagram showing the logical arrangement of the internalcache memory of DAC 10B as it is utilized by DAC 10B. The followingdescription applies specifically to the internal organization for thesingular CPU implementation, but hold true for multi-CPU models exceptthat, in respect of multi-CPU models, the pages are arranged insequentially grouped blocks (a “block” is described below), one for eachCPU in discrete memory systems. All registers of DAC 10B arememory-mapped allowing it to protect access even to its own registersand cache memory. The first page holds the devices descriptor registersused to identify the type and capabilities of DAC 10B. The next fewpages of the cache hold the Control and Interface register sets used tocommunicate with DAC 10B. The cache memory is also a repository fordescriptors used by tables APRT and TPRT for access port and transferport definition respectively via tables DAP and DTP. The next n×ysubsequent pages are allocated for access port descriptors arranged as naccess ports AP, each capable of owning y non-contiguous code fragments(AP-attachments), and each code fragment can specifying its own transferport TP. The remaining pages are allocated for m×n×y transfer portdescriptors grouped as n×y transfer ports TP, with each transfer port TPcapable of containing up to m distinct non-contiguous data ranges(TP-attachments).

While the memory map of the hardware memory pages and registers of DAC10B are shown in FIG. 22, a more detailed description of its registersand their arrangement and their purpose are given in Tables IV and V:

TABLE IV RAM DAC Minimum Control Register Set. Register Address FunctionDAC (rw) DAC Programmable DAC memory address register used to relocatethe DAC (Dloc) and its registers sets in memory. DAR(r) DAC + 8 DACaddress range = DAC + the size, in bytes, of the DAC device DAP (r)DAC + 16 DAC AP memory address register used to locate the start of theAP descriptors, AP descriptors begins after the last register. AP (*r)DAC + 24 Access Port - attachment ID indicating the program currentlybeing executed, writes to AP are shadowed to hAP TP (r) DAC + 28Transfer Port - active resource table pointer for current AP DTP(rw)DAC + 32 DAC Transfer Port memory address register read = start of theTP descriptors, write = relocate TP descriptors relative offset from DAPDCP(rw) DAC + 40 Control Port - controls for special state handlersDSP(r) DAC + 48 Status Port - records state of DAC r = readable, w =writeable, *r readable with shadow

TABLE V RAM DAC Minimum Interface Register Set. Register AddressFunction DID(id) DAC ID signature of the DAC hAP(rw/s) DAC + 52 APholder - AP of pending task switch, or parent AP of current AP lJump(rw)DAC + 56 Instruction code for call “iAP handler” to invoke softwarecomponent iAP(rw) DAC + 76 AP for interrupt/exception handler. iAP isinvoked during lACK eCall(rw) DAC + 66 Instruction code for “call eAPhandle” to invoke software component eAP (rw) DAC + 80 AP for taskaccess violation Handler invoked on attempt by AP to access an unownedResource or to invoke another AP iAddr(r) DAC + 84 AP + address of lastvalidly executed instruction Eaddr(r) DAC + 96 AP + address ofinstruction fetch that triggers an access violation Vaddr(r) DAC + 108AP + address of task that invoked the most recent Task switch Daddr(r)DAC + 120 AP + Address of the last data access that triggered the accessviolation r = readable, w = writeable, /s = writeable shadow of AP, id =readable when mapped inTable IV lists the minimum set of control registers required for properimplementation of DAC 10B. Control registers are reserved for use by thesoftware component of DAC 10B only and are critical for the properinitialization and use of DAC 10B for secure memory sharing. Table Vlists the minimum set of interface registers required for properimplementation of DAC 10B. Interface registers are used by the softwarecomponents of DAC 10B and may be assigned to the operating system (OS)to allow the OS to manage programs. This register set will providesufficient information to allow error and exception handlers to locateand deal with the offending program.

The registers are arranged in order to give DAC 10B a smaller memoryfootprint in the system. The first page is occupied by DAC ID registersDID which contain read-only information about the DAC hardware type,version, capabilities etc. to allow recognition by software when notinitialized. Register DID is the only visible element of DAC 10B untilthe software component loads and submits its ID into a designatedaddress within register DID. When DAC 10B recognizes the software's ID,it maps out register DID to reveals all its registers for access. Thecontrol registers give the status of DAC 10B and controls the operationsof the hardware of DAC 10B. The interface registers allow the softwareto adapt DAC 10B to the specific environment of the host machine and itssoftware environment. The register set is designed to minimize theeffort that supervisory programs must expend when performing managementof tasks that have been animated. They also provide such programs withsufficient information to resolve access violations in order to effectthe appropriate response. Note each register is assigned a defaultpermission. DAC 10B can be used to assign some or all of its registersto the transfer ports TP of select software. However, the access modeassigned at runtime will not supersede the default permission given inthe tables; that is, a read-only register will never be successfullymodified even if the software assigns it a writeable permission. Inaddition, the shadow of the access port register will always be the “APholder” register hAP regardless of the assigned transfer portpermission. Note also that even though writes to access port AP areshadowed to register hAP, register hAP itself is readable and writeable.This allows for the definition of the parent of a task by writing toregister hAP with no other consequence, but a write to access port APwill clear the task-switched flag (DSP.ts) of the status register DSPand update register hAP instead of access port AP. This allows approvedtask-switch requests to be posted by writing the task's access portidentifier APID to the access port register. Programs are not allowed tomodify access port AP since DAC 10B uses it to locate instruction anddata pages of the currently active task and would cause all further CPUaccesses to memory to yield indeterminate results.

RAM DAC Permission and Access Tables

The tables APRT and TPRT are the keys to ensuring that a program'saccess to memory is valid and transparent to all other programs. At anyinstant they hold the definition of the instruction and data-set addressranges of the currently active program. Their actions guarantee thatunauthorised access to instruction or data belonging to other programswill always be detected. On every access to memory, by the CPU, they(concurrently) check the target address against those allowed to thecurrently active program. Based on their report, controller AC may allowthe program's activity, which could cause refreshing of table TPRT, ormay trigger an access violation error to alert the enforcement software.

FIG. 23(A)is a diagram showing the implementation of table APRT as ann-way range lookup table holding the AP-attachments assigned to thecurrent access port (task) and their associated data set selectors(transfer port identifiers TPID). The pages of table APRT are mappedinto the cache memory of table DAP. A successful instruction addresslookup is one that fits within the an AP-attachment defined by one ofthe pages and that page must not have a null port identifier TPID. Thematch result and the valid port identifier TPID are returned tocontroller AC for further processing. Table APRT is refreshed from thememory ranges of table DAP and only by a successful write to the accessport register of this DAC 10B. Only the hardware of DAC 10B can updatethe access port register, which it does only if a task transition isallowed to occur.

FIG. 23(B) is a diagram showing the implementation of table TPRT as ann-way range lookup table containing the data ranges (TP-attachments) ofa transfer port TP assigned to the current AP-attachment, theirassociated access permissions, and the shadow offset if defined. Thepages of table TPRT are mapped into the cache memory of table DTP. Asuccessful data address lookup is one that fits within the range definedby one of the m TP-attachments with the correct permissions for the modeof access requested. The match result and the computed shadow addressare returned to controller AC for further processing. Table TPRT isrefreshed from the memory ranges of table DTP only by a successful writeto the transfer port register of this DAC 10B. Only the hardware of DAC10B can update the transfer port register, and only when a successfultask transition occurs or a valid AP-attachment (page) that defines anew transfer port TP is asserted.

Taken as a whole, FIG. 23 shows the relationship between the contents oflookup tables APRT and TPRT and definition tables DAP and DTPrespectively. As demonstrated in FIG. 23(A), the contents of table APRTare refreshed from memory of table DAP when controller AC modifies theaccess port register when changing the currently active program. FIG.23(B) shows the refreshing of the contents of table TPRT from memory oftable DTP, which occurs when controller AC updates the transfer portregister with a new value during a successful instruction fetch into adifferent AP-attachment defined by a page of table APRT.

When access port AP0 is currently active, writes to table DAP thattarget descriptors respecting access port AP0 updates both tables DAPand APRT. The changes become effective on the next instruction access.

The combined actions of the hardware components of FIG. 21 aresummarised in the flowchart in FIG. 24. The flowchart integrates allprocesses of the hardware of DAC 10B and their contribution to thevalidation and processing of all memory accesses. Processes in DAC 10Bare initiated concurrently to speed the validation process. DAC 10Bmakes use of highly parallel processing to efficiently validate andprocess each and every memory access. A memory access is initiated bythe CPU and detected by controller AC. DAC accesses and memory accessesare essentially identical with respect to CPU control signals, but DACaccesses do not appear on the external memory bus of the computer.

According to the flowchart in FIG. 24, the hardware itself does not yetfully meet the definition of a DAC 10. Missing are the means by which tocreate access ports AP and transfer ports TP and the means by which thememory access permissions are set.

RAM DAC Software Components

While access to instructions in a region not defined as an AP-attachmentand access to data in a region not defined as a TP-attachment will bedenied by the hardware, the access ports AP and transfer ports TP mustfirst be defined and the dynamic environment required by software makespre-set control of use allocation nearly impossible. As such, DAC 10Balso has software components. Their tasks are to secure the memoryresources of the computer and serve portions of it as access ports APand transfer ports TP as needed (the boot-river), and to aid the OS withenforcing access violations (OS-driver) detected by the hardware of DAC10B. The drivers may be implemented as firmware on the same physicalunit as DAC 10B but loadable software will be more flexible and easierto upgrade. The recommended operations of the OS-independent,boot-driver functions are depicted in the state diagram in FIG. 25.

FIG. 25 is a state diagram which shows the recommended operational stateof the OS independent software component of DAC 10B. Notice that thesoftware component initiates before the OS and that it initiates the OS.DAC 10B must remain in full control of its protected storage devices atall times. Thus the software component of DAC 10B must supersede the OSin control of access to RAM, just as the SCSI oriented DAC 10Asupersedes the attachment and its OS in control of access to storagedevices.

The functions of the OS-driver (not shown) are to aid the OS with memoryand task management, translate these actions into access controlspecifications for the bootdriver, and translate the boot-driver'srealtime violation classifications into OS and application-specificresolution responses.

RAM DAC Initialization

Like the SCSI oriented DAC 10A, the primary access controller unit APxUis responsible for the initialization of DAC 10B and its resources. Atsystem reset, the default settings of the hardware of DAC 10 areasserted, as shown in Table VI, placing it (and thus any activesoftware) in control of all onboard memory and memory mapped devices:

TABLE VI RAM DAC interface and Control Registers default values RegisterValue [0]port.lo [0]port.hi [0].perm [0].TP AP 0# 0ffffffffffffffffh{circumflex over ( )} 0 hAP 0# TP 0 0ffffffffffffffffh{circumflex over ( )} m iAP 0 0ffffffffffffffffh{circumflex over ( )} 0 eAP 0 0ffffffffffffffffh{circumflex over ( )} 0 DAC {circumflex over ( )}-DAR −10000h* DAP 160 DTP DAP + size(APRT)* *presettable and programmable,#null AP, {circumflex over ( )}or max memory location detectedTable VI shows the default values for the hardware of DAC 10B at systemreset. These settings allow DAC 10B to exist in a computers system andretain current functionality until the software components areinitialized. These defaults ensures that, like any DAC 10 when insertedinto any currently “unaware” systems, DAC 10B will make no apparentchanges to that system except that register DID will appear in thecomputer's memory space.

As recommended in the state diagram in FIG. 25, the boot-drivercomponent is best used as the boot loader as this gives it the bestchance of securing the entire memory space, including the hardware ofDAC 10B itself. The boot-driver initializes itself according to thespecifications found in register DID of the hardware of DAC 10B, thenprepares the memory space for use. To initialize the memory space, theboot-driver must (in the following order):

-   -   1. Relocate its program and data to the top or bottom of memory        (dependent on CPU requirements) in order to take itself out of        the “free” memory space and leave “free” memory as one        contiguous block when possible.    -   2. Define its instruction ranges as attachments to access port        AP0, the primary, and officially null, access port identifier        APID.    -   3. Define its data sets as TP-attachments that are accessible to        its AP-attachments.    -   4. Define the rest of the memory space as “free” TP-attachments        to its AP-attachments.    -   5. Disable Interrupts and initialize the registers (eCall,        iCall, etc.) of DAC 10B.    -   6. Relocate DAC 10B to its final operational location in the        memory space. Close examination of the flowchart in FIG. 28        (described below) reveals the fact that the hardware of DAC 10B        can execute code that is mapped to its own memory range without        impeding access to its registers. To protect it own instructions        and conserve memory space, the boot-driver hides its        AP-attachments by overlaying them with the hardware of DAC 10B.    -   7. Jump to the relocated “hardware initialization complete”        AP-attachment to update the CPU and avert a possible access        violation resulting from the next action.    -   8. Invalidate attachment #0 (the default) by making its address        range null (address.lo≧address.hi). This will eliminate the        memory usage default (all manageable, all executable) and        immediately apply the boot-driver's instruction and data access        range restrictions.    -   9. Restore interrupts.

At this point, the bootdriver's access port AP is the only one definedand thus is the only program that can execute. Since it can access theentire memory space, including the hardware of DAC 10B (but excludingits program instructions) as data, it is by definition the “Master AP”.The hardware of DAC 10B will prevent access to the boot-driver'sAP-attachments and TP-attachments by any access port AP whoseTP-attachments exclude it, and the boot-driver will ensure that thehardware TP-attachment of DAC 10B is excluded from all otherAP-attachment or TP-attachment. Since no other access port AP can accessthe hardware of DAC 10B, only the boot-driver can define access ports APor transfer ports TP within it; thus the boot-driver will remain as theMaster AP.

RAM DAC Access Control Interface Software

The boot-driver and the hardware of DAC 10B constitute the majority ofrequirements of DAC 10B. The only missing functionality is that providedby unit ACI of the SCSI oriented DAC 10A to define AP-TP use and accessrights. This component must necessarily be software to support thevariety of operating systems, and the flexibility and dynamicenvironment of computers. The equivalent of unit ACI for DAC 10B is theOS specific OS-driver component that interfaces the OS to DAC 10B toallow for dynamic access port AP and transfer port TP connection andaccess assignment. To support the OSdriver while retaining thesegregation between the OS and the boot-driver, DAC 10B makes use of thememory-like nature of the hardware to create a memory-based virtual DAChardware call the DAC-mirror. The boot-driver prepares the memory range,which starts at the original value in the DAC register and spans therange of register DID, with the access mode and values of register DID.This mirrors the default state of the hardware of DAC 10B (register DIDmapped between the DAC register and register hAP, hAP-end of DAC notpresent), and allows the DAC-mirror to be discovered during the expectedsearch by a DAC-aware OS, that will be installed later. The DAC-mirrorallows the boot-driver to supervise the activity of the OS-river programas it asserts its presence and aids the OS with its tasks. Inparticular, when the OS-driver registers its ID, the boot-driver canvalidate it and re-map the DAC-mirror to resemble the DAC hardwareregisters in their default conditions (with register DID mapped out).When mapped in the DAC-mirror's registers will be identical to those ofthe DAC hardware, with the following exceptions:

-   -   1. A DAC register Dloc is assigned the r permission to allow the        boot-driver to detect whenever the DAC-mirror must be relocated        in order to “virtualize” the relocation procedure for conformity        with expected behaviour of DAC 10B.    -   2. The access port register is marked as r to allow proper        virtualization of the effect of clearing the task-switched flag        (DSP.ts) of register DSP when access port AP is written.    -   3. Tables DTP and DAP are also marked as r in the DAC-mirror to        enable the boot-driver to simulate the expected reaction in the        DAC-mirror.    -   4. Registers iAddr and dAddr (explained below) are set as rw.

RAM DAC Intializing the OS and OS-Driver Software

Because the OS-driver is OS specific, it is loaded by the OS during theOS initialization process. The boot-driver begins the process by loadingthe OS into its “free” TP-attachments and prepares an OS access port AP,and related transfer ports TP, as the second access port AP in thehardware of DAC 10B. The initial access port AP and transfer port TP ofthe OS are identical to the defaults given in Table VI with theDAC-mirror TP-attachment, but excluding the memory ranges of theboot-driver and the hardware of DAC 10B. This allows the OS toinitialize as normal without the ability to affect the boot-driver. Theboot-driver activates the OS and goes quiescent until an accessviolation is performed by the OS. This will only occur if the OS triesto access the bootdriver or hardware of DAC 10B, or the OS announces itsability to interact with DAC 10B. If the OS is DAC-aware, its memoryscan will detect register DID, and it will load and activate theappropriate driver (note: this is all that is required for DACcompliance—namely, that the driver “completes” the OS). The OS-driverbegins is initialization by announcing its ID to the DAC-mirror. Theboot-driver responds by building an access port AP and transfer ports TPfor the OS-driver and registering them in hardware of DAC 10B. TheOS-driver's transfer ports TP encapsulate the OS and the free memoryranges of the OS, with appropriate permission to prevent the two frominvoking or modifying each other's instructions, and allow only theOS-driver to manage the free or assigned TP-attachments. The OS andOS-driver will share the DAC-mirror, but the OS is given r access. Whenthe boot-driver is finished, it replaces the mirror DID with the defaultDAC registers (as above) in the DAC-mirror. The OS-driver is reassertedin order to complete its initialization and mapping of the memory spaceof the OS. It signals completion of its initialization by writing toregister Dloc in order to relocate the DAC-mirror to the desired finaldestination. At such time, the boot-driver (in recognition of theattempt to move DAC 10B) updates the hardware of DAC 10B and DAC-mirrorwith the proper access ports AP and transfer ports TP that define the OSand the OS-diver. The OS-driver is now ready for normal operations; thusDAC 10B is now in place and ready for normal operations.

RAM DAC Normal Operations

After OS and OS-driver initialization, the boot-driver goes dormantuntil it is alerted to an access violation by the hardware of DAC 10B.The OS-driver provides certain memory and task management functions tothe OS in order to facilitate the creation and destruction of accessports AP and transfer ports TP dynamically. The functions are considereda part of the OS but must securely share information with the OS-driverand conform to the security requirement of not invoking the OS-driver'sinstructions. The memory management functions co-operate with the AP/TPmanagement functions using a specialised shared storage definitionexplained below. The task management functions and the access controlfunctions of DAC 10B co-operate using the DAC-mirror to achieve theirneeds. This allows the system to operate at maximum efficiency undernormal operations.

The following is a detailed description of the use of DAC 10B undernormal operations to load a program, consign it to an access port AP(create an access port AP and several transfer ports TP), and assign toit TP-attachments for transparent sharing of data. This will be parallelto the procedure for initializing SCSI AP-attachments and establishing apath from an access port APx to a transfer port TPy within the SCSIoriented DAC 10A. However, SCSI access ports APx are physical and theirquantities are fixed. Also, SCSI AP-attachments are created with thecapability of initializing themselves, and are physically fixed to DAC10A by attachment to an access port APx. AP-attachments andTP-attachments on DAC 10B are purely virtual, thus more ground rules arerequired for their creation, destruction and secure use, and these rulemust be obeyed and enforced by DAC 10B itself. In this regard, some oftasks that DAC 10B must perform (such as memory and program management)are already specific for, and primary functions of, the OS. Thus thefollowing discussion will detail only new functions, extensions ormodifications that DAC 10B must provide for the OS so that it caninterface with DAC 10B and perform program management correctly.

FIG. 26 is a flowchart showing the process used by DAC 10B for thevalidation of access to data memory space. The “Data Access” function istriggered by controller AC of DAC 10B on detection of the accesstype/mode from the control bus CB signals, and this function issupervised by table TPRT; its major task is to determine whether thecurrent program's attempted access should be allowed, denied, orshadowed based on where the access is directed, the mode of the access,and the task's permission for such accesses. Virtual locations take thesame path as shadowed locations for the purposes of destinationresolution. The outputs from this function control the outcome fromother concurrent processes.

FIG. 27 is a flowchart showing the process used by DAC 10B for thevalidation of access to instruction memory space. The “InstructionFetch” function is triggered by controller AC upon detection of theaccess type from the control bus CB signals, and this function issupervised by table APRT, whose major task is to determine the purposeof the access and if it is to be allowed or denied. Access mode isirrelevant since only a read from memory is allowed during aninstruction fetch. Access is allowed or denied based on conformity tothe current program's AP-attachment definitions as well as DAC stateinformation that impinge on execution flow. The outputs from thisfunction control the outcome from other concurrent processes.

FIG. 28 is a flowchart showing the means by which approved memoryaccesses are routed by DAC 10B. While the “Data Access” and “InstructionFetch” functions determine if the access can occur, the “Target Select”function illustrated in FIG. 28 locates the target and activates thenecessary circuits for access to external memory or within DAC 10Bitself. The “Target Select” function is performed by controller AC ateach memory access attempt. Target selection is completed by theoutcomes from tables APRT or TPRT during an “Instruction Fetch” or “DataAccess” function respectively. The “Target Select” function also keeps alimited access audit trail to facilitate violation debugging.

FIG. 29 is a flowchart showing the means by which a memory access isshadowed to a target that is different from that which was requested.Shadow selection is performed by controller AC on notification fromtable TPRT that the shadow access should be asserted. The target addressis derived from the shadow origin returned from table TPRT. Shadowselection uses the precalculated shadow target address (AC.addr) as thetarget for the actual access. The above is also true for virtual targetselection. All shadow targets are pre-validated by the driver at thetime of assignment of the shadow permission to any particular transferport range.

FIG. 30 is a flowchart showing the processing of access violations bycontroller AC of DAC 10B. Violations during a “Data Access” cycle raisesa CPU exception to prompt the data access and preserve the program'scontext in case the access will be retried later. Violations during an“Instruction Fetch” results in an instruction substitution that willtrigger a task switch to the software component of DAC 10B. Accessviolations during a “Data Access” necessitates a different response fromthat possible for an “Instruction Fetch” since data accesses most oftenoccur during instruction execution.

FIG. 31 is a flowchart showing the manner in which DAC 10B effects asafe transition between two different programs. Switching betweenprograms involves a context switch in table APRT when the firstinstruction of the new program is being accessed. In particular, DAC 10Beffects a “Task Switch” by reloading the contents of table APRT from thecache location indicated by register hAP, and then reinitiating thememory access cycle. After the context switch DAC 10B restarts itsinternal “Instruction Fetch” function to re-evaluate the accessconformity.

RAM DAC Dynamic AP and TP Creation

The standard OS program-loader implants the statically linkedinstructions and data of a program (with the necessary fix-ups), asrequired, into free memory regions under its control. To use DAC 10Bcorrectly, the OS must relegate its memory allocation and de-allocationfunctions to the OS-driver, and must classify the intended usage of thememory space (instructions, private data, shared data). Unclassifiedallocations will be defined as private data (rw) by default (note thatsuch classified data cannot be executed as instruction later). Theactual allocation can remain essentially unchanged, but the OS-driverwill only map the memory ranges into the calling AP-attachment'stransfer port TP if the AP-attachment conforms to the operating system'saccess port AP. The last step is for the program loader to declare a setof memory allotments as a program to the OS-driver. At such time, theOS-driver assigns the memory ranges, content types and accesspermissions, defined during the allocation process, to the program bybuilding its access port and transfer port definitions in theDAC-mirror. To do this, the OS-driver iteratively creates transfer portidentifiers TPID for the program's data sets, computes their descriptorlocations in table DTP using the method shown in FIG. 23(B), and fillsthe descriptors with the memory ranges (upper and lower addresses),access permissions and relative offset addresses of their shadow (ifany). Before committing a TP-attachment to the DAC-mirror, the OS-driverscans all assigned access ports AP to determine if the TP-attachment orits shadow-attachment overlaps any access port AP and will refuse toregister any program with such a TP-attachment defect. The OS-driverwill also reject registration of the program if any of itsTP-attachments, or their defined shadow, do not conform to the accesspermissions as explained for Table I. Finally, if any AP-attachment ofthe program being registered overlaps any TP-attachment (except free TPattachments of the OS-driver), registration will also fail. Other wise,The OS-driver computes the memory location in table DAP for the accessport descriptors using the method shown in FIG. 23(A), and records theAP-attachments and their associated transfer port identifiers TPID. Ifthe registration completes without errors, the OS-driver extracts theaccess port AP and related TP-attachments from its “free” transfer portsTP (by reclassifying those TP-attachments as *m), and consigns them as mTP-attachments to the program-management AP-attachments of the OS. TheOS-driver then returns the program's access port identifier APID to theOS.

RAM DAC Attaching to Dynamically Created APs and TPs

At this point the entire program, its instruction and data-sets, areencapsulated in the TP-attachment of the program-management routines ofthe OS, allowing it to perform whatever fix-ups are necessary for theprogram to run. The OS begins the activation of the program by sendingthe program's access port identifier APID to the OS-river. At such timethe OS-driver will modify the program-management transfer ports TP thatcontain the program so that only the public data used for OS-programinterface TP-attachments remain accessible to the OS. All otherTP-attachments of the OS that are a part of the program are removed fromthe reach of the OS by modifying their access permission to *m. Then theOS-driver writes the program's access port identifier APID to the accessport register of the DAC-mirror and returns control to the OS. Since theAP register was r, the flowcharts in FIG. 26 and FIG. 30 demonstrate howthe hardware of DAC 10B detects the inappropriate write and initiatesthe invocation of the boot-driver using the instruction substitution ofregister eCall. Once invoked, the boot-driver notes that the access wasfrom the OS-driver to the mirror access port AP, that the access port APis new, and that its descriptors in the DAC-mirror are valid. Valid newaccess ports AP and their attendant transfer ports TP are recorded inthe hardware of DAC 10B, and the boot-driver will update register hAPand register DSP of the DAC-mirror (and not the hardware of DAC 10B)before returning control to the OS-driver.

RAM DAC Establishment of Access Paths

When it is ready to do so, the OS will issue a program-flow-changeinstruction that directs the CPU to begin instruction processing at theprogram address within the TP-attachments of the OS. The flowcharts inFIG. 27 and FIG. 30 show that as the CPU attempts to fetch the firstinstruction of the program, the hardware of DAC 10B detects aninstruction access violation and redirects the CPU to the boot-driverinstead of the target instruction. The redirection is transparent to theCPU and no “Exception” or “Interrupt” will be raised. It is achieved bythe hardware itself, which returns register eCall to the CPU instead ofthe intended instruction, and pre-authorizes the assertion of theboot-driver access port AP by forcing a register eAP into register hAP.The CPU executes the instruction in register eCall and, in accordancewith the flowchart in FIG. 27, attempts to fetch the first instructionfrom the boot-river; the target address lookup will fail since the OSaccess port AP is still active. This failure, however, triggers the“Task Switch” function shown in FIG. 31, that was pre-authorised by thehardware of DAC 10B, to bring the boot-driver's access port AP intocontext. Thus, the boot-driver gains control in only 2 instructionexecution cycles plus the reload time of table APRT (fairly low errortransfer overhead).

RAM DAC Validation of Path Establishment

The boot-driver now determines the cause of the instruction accessviolation using the state of register DSP, the access port register,register hAP, and register eAP of both the hardware of DAC 10B and theDAC-mirror. The conditions of these registers will indicate if theviolation occurred as a result of a Task Switch attempt by any program(including the OS), or hidden errors in the OS, the OS-driver or theboot-driver itself. In addition, register eAddr recorded the program andaddress of the attempted target instruction violation, register iaddrrecorded the program and address of the instruction that attempted theviolation, and registers dAddr[0] to dAddr[Didx] (if implemented as anarray) recorded the address of the data stream accessed by the CPU onexecution of the instruction at register iAddr. These values can be usedwhen recovering from the violation. For example, if the OS attempted toinvoke the Task Wwitch using a call instruction, a register vAddrrecorded the location of the call instruction from the OS, registereAddr recorded the destination for the call instruction, and the returnaddress to the OS would be recorded on the stack at dAddr[0] todAddr[Didx]. In this case, the violation was a Task Switch attempted bythe OS, as validated by the mirror DSP.ts and conformity of thedestination to the mirror hAP. The boot-driver further validates thatthe access port descriptors in the DAC-mirror concurs with those of thehardware of DAC 10B and that the mirror descriptors of the OS have beenappropriately modified to conform to security specifications. Conformitywill result in updating the state of the DAC-mirror and the hardware ofDAC 10B, then resumption of the Instruction Fetch to activate the newprogram. This involves updating the DAC-mirror to reflect the task'sactivity state, initializing the program's stack with a pseudoreturn-address (if necessary), then performing a controlled Task Switch.

FIG. 32 is a state diagram which illustrates the program-controlled flowof program execution within DAC 10B, and demonstrates the means by whichthe Task Switch can occur successfully. FIG. 32 shows the incorporationof program execution with the state of DAC 10B. In particular, ithighlights the fact that any program that attempts to executeinstructions in any other program's memory space will trigger an accessviolation within DAC 10B. It also highlights the process by which asupervisory program (usually the OS), in a multitasking environment, cansafely promote execution to a subservient program, giving thesupervisory program full control over the manner in which all programsinteract. When the OS is the currently executing task, it signals to DAC10B that it approves the upcoming program switch by writing the newaccess port identifier APID (namely, the program ID) into the accessport register, as shown in path 3200. Since the access port register isread-only and accessible to the OS, writing to the access port registeris shadowed to register hAP and triggers clearing of the task-switchedflag DSP.ts in register DSP. When the OS is finished preparing the newprogram for execution, it executes a program-flow-change (jump or callor return) instruction, diverting execution to some point in the targetprogram's code memory space as shown in path 3210. This action isnoticed by DAC 10B as the CPU attempts to fetch the next instructionfrom a memory region to which OS instructions have not been allocated,as shown in path 3220. DAC 10B promotes the new access port identifierAPID, causing an access port Context Switch and validation of theInstruction Fetch target for conformity in the new access port AP. Theonly condition for writing the access port register is that once writtento, the OS must be prepared to deal with any instruction accessviolations which may occur prior to activating the program (only the OScan cause such violations since it is the current task). Nevertheless,state information in DAC 10B can help the OS recover correctly from thiseventuality.

The boot-driver approves the Task Switch, and then issues an indirectjump instruction through register eAddr to reach the intendedinstruction. In this manner, control is passed to the new program withthe context of DAC 10B set to that of the new program. The contextswitch mechanism of DAC 10B is the only means by which any program caninvoke other programs. This is reserved for use by the boot-driver viaits ownership of DAC 10B, and by the OS through its access to theDAC-mirror.

RAM DAC Denial of Path Access

Failure of the security conformity test will cause the boot-driver toupdate the DAC-mirror's error log registers from the hardware of DAC 10Band performing a Task Switch using an indirect nested call usingregister eCall of the DAC-mirror. This will allow the OS-driver to dealwith the error in an OS-specific manner. If the OS-driver aborts theprogram activation, it should invalidate the program's AP-attachmentsand place the access port identifier APID in register iAddr along withthe address for OS notification (if applicable) before returning to theboot-driver. If the program activation is to be retried, the OS-drivermust ensure the program's conformity before returning to the boot-driverwith register iAddr unmodified. Otherwise the boot-driver will classifythe fault as a system breach and halt the OS and all its programs afterdumping the machine's state to the error logs. Note that regardless ofthe outcome, the OS-driver must return to the boot-driver or stay withinits limited bounds because it has been assigned an access port APindependent of the OS and all other programs. As recommended for theSCSI oriented DAC 10A, the RAM oriented DAC 10B could also be designedwith an access port activity timer to ensure that the boot-driver canregain control if any access port AP retained active status for toolong. If the OS-driver was compromised, its inability to gain increasedaccess is assured since its AP-attachments and TP-attachments were notassigned by itself but by the boot-driver (regardless of what theDAC-mirror indicates).

RAM DAC AP-TP Access Supervision and Enforcement

Thus far, a single program (the OS not included) has been loadedstatically and activated by the OS. Any DAC-aware computer (boot-driverinstalls) must use DAC 10B for loading and dispatching programs. DAC 10Bprevents programs from writing to their AP-attachments, preventsexecution of instructions from within TP-attachments, and theboot-driver prevents internal overlap between AP-attachments andTP-attachments. Thus, the standard practice of executing data asinstructions during the Task Switch function is abolished. What followsdetails the manner in which DAC 10B ensures that the program operatesand interacts with transfer ports TP in a manner expected ofAP-attachments and TP-attachments on DAC 10B.

The state diagram in FIG. 32 shows what happens when the boot-driverwrites the program's access port identifier APID to register AP (path3200), triggering clearing of flag DSP.ts and updating of register hAP.Then the boot-driver executes the indirect jump to activate the approvedprogram (path 3210). Next, Instruction Fetch, detailed in the flowchartin FIG. 27, causes a fetch mismatch (path 3220) and reloading of tableAPRT to bring the program's access port AP into context and complete aTask Switch in accordance with the flowchart in FIG. 31. The InstructionFetch is re-evaluated to ensure that the instruction belongs to the newaccess port AP, and if so, the address is allowed to access the memorybus in accordance with the flowchart in FIG. 28 and return theinstruction to the CPU. In the meantime, DAC 10B will refresh tableTPRT, if necessary, to maintain the link between the allowedTP-attachments and the AP-attachment from which the instruction wasfetched. From this point DAC 10B has locked the access port AP to thisprogram and all subsequent instructions must be directed at itsAP-attachments, and all data access must be directed to its definedTP-attachment in accordance with the flowchart in FIG. 26. Otherwise,DAC 10B will indicate an access violation error. In this manner, DAC 10Bdetects and prevents all AP-to-AP and AP-to-non-AP access violations,especially those that are know for causing the dreaded buffer overflowerror. In this error, the attacker uses valid program input to createinvalid memory access which eventually forces data into the instructionregion or force instruction access to be made to data regions. The endresult is that program execution goes out of sequence such that data isexecuted as instructions by the CPU. The boot-driver can include specialmechanisms for catching even internal program data abuses of this type,especially those that use the CPU stack. Options range from thedraconian method of assigning the stack as *m within the program so thatthe boot-driver will be invoked on every access to the stack, toinstruction snooping by the hardware of DAC 10B for stack-related orprogram-flow-change instructions in order to validate their parameters.

RAM DAC Transparent Multitasking

The last item of concern for transparent sharing of memory for programsand data regards “Exceptions” and “Interrupts”. Exceptions andInterrupts are signals issued by the CPU in response to an internalerror or by an external device for asynchronous external events. Notethat the CPU should not support software Exceptions or Interruptsbecause of the potential for their abuse to override system integrity.Similar functionality can be achieved using TP-attachments, and themechanisms of DAC 10B eliminates the possibility of abuse from withinapplication software. The occurrence of Interrupts and Exceptions areotherwise unpredictable and their effect must only be visible to theappropriate access port AP, which may not be the currently active accessport AP. CPUs already have the facility to handle such events but DAC10B must be able to ensure that even these events cannot be used toachieve an access violation. Because the CPU can signal when such eventsare occurring, DAC 10B can use those signals (IACK) to enforce memorysharing rules. Interrupts and Exceptions which are acknowledged by theCPU will invoke an automatic task switch by forcing the contents of aninterrupt handler register iAP into register hAP and setting theInterrupt/Exception and task-switch flags (DSP.ie & DSP.ts) in registerDSP. This will effect the Task Switch at the earliest possible momentthat tables APRT and TPRT can be safely reloaded (this can beimmediately if DAC 10B is not engaged). An instruction iJump will be thefirst instruction executed after signal LACK regardless of the outcomeof the Instruction Fetch function. Thereafter the Instruction Fetchfunction will prevail until the next signal IACK. The iJump instructionis a function of the boot-driver and it preserves the critical CPU andDAC state registers and prepares the DAC-mirror for a further taskswitch to the prescribed OS-Exception/Interrupt service routinesindicated by the mirror iCall. The boot-driver can also use this handleto ensure that the Exception mechanism is no longer used by other accessports AP to invoke the OS, should this be desired. When theboot-driver's interrupt handler regains control it can restore the CPUand DAC state registers and resume the interrupted program by clearingregister DSP. Doing so causes DAC 10B to automatically reload registerhAP and its Instruction Fetch pointer from register eAddr, its dataaccess pointer from register daddr, and setting flag DSP.ts to.pre-approve the Task Switch. The next Instruction Fetch from the CPU(intended for the boot driver address) will be processed, ignoring busAddress' in favour of its internally latched pointers to guarantee theTask Switch and restoration of the interrupted task.

RAM DAC Shared Storage

Aside from facilitating the secure sharing of storage for programs andtheir data, DAC 10B provides similar inter-access-port sharing ofstorage as that supported by the SCSI oriented DAC 10A. The permissionsshown in Table I hints at their nature. The permissions for shareablestorage are r, w, *r, *w, and while any number of AP-attachments mayaccess the same storage as r or *r, only one AP-attachment may accessthe shared storage as w or *w. Note that shareable does not implypublic; that is, the owner of a shareable storage must first requestthat the storage be shared before any other AP-attachments may discoveror access the storage. Shared or public TP-attachments may only have the*r and the *w permissions and elements of the attachments may appearonly in readable shadow TP-attachments of other access ports AP (theshadow of a *r 1⁰ must be internal to TP-attachments accessible toaccess port AP). The access rule for sharing is that only the owner ofthe storage must be able to modify its contents, correspondents may onlyread it. The *r storage is reserved for the OS and this reservation isenforced by the boot-driver. This special reservation is designed tosupport many clients sharing a single OS storage, or the OS sharing manysingle client storage, as shown in FIG. 34 (described below).

The OS allocates one of its *r TP-attachment for each client. Althoughthe transfer port TP descriptor is defined for the access port AP of theOS, the 1⁰ “belongs” to the client and is the client's private sharewith the OS, the shadow belongs to the OS and is the public share of theOS for its clients. The allocation of *r storage is useful forOS-specific assignment of shared storage. The allocation/deallocation of*w storage is allowed to all access ports AP. The 1⁰ of a *w storage“belongs” to the access port AP in which it is defined, the shadow mustbe a similar share that is allocated (“belongs”) to another access portAP. Belonging to an access port AP implies that only that access port APcan direct the sharing (declare who may read it) or requestde-allocation of the storage. Shared storage may only be discarded orshared.

RAM DAC Private AP-only Accessible Storage

Of the multiple TP-attachments supported by DAC 10B, a DAC-aware OS canassign the rw permission for private storage. Private storage isguaranteed never to be shared with any other access port AP includingthe OS, and private storage may only be accessed by one access port APfor the life of that storage or the life of that access port AP,whichever is shorter. Permission rw is the default for all newly createdstorage unless otherwise specified, and such storage may only bedestroyed (removed from the accessible attachments of access port AP) orconverted into na storage.

RAM DAC Between APs Storage Sharing Primitives

DAC 10B supports two forms of storage sharing for networking support;synchronous and asynchronous notification. Instantaneous notification isrelevant for realtime, systems functions, and asynchronous is relevantfor non-critical event-driven functions. The DAC-mirror is an example ofa synchronous shared storage. The DAC-mirror is shared by the OS, theOS-driver, and the boot-driver. The OS shares the DAC-mirror asasynchronous storage with r access (boot-driver enforced rule) and rpermission (DAC-hardware-enforced rule) since the OS only needsoccasional up-to-date status for dealing with asynchronous task relatedevents. The OS-driver shares the DAC-mirror as synchronous storage withvaried r and rw access but r permission. This is necessary because theOS-driver must be able to update DAC 10B and have realtime responsesfrom DAC 10B (the DAC-mirror must react as if it were the hardware ofDAC 10B with respect to the OS-driver). The boot-driver shares theDAC-mirror as synchronous storage with rw access and m permission(boot-driver can override the hardware rules) since it must interceptand respond to realtime accesses to properly simulate the hardware ofDAC 10B for the OS-driver.

RAM DAC Shared Storage as Virtual Memory

To support the size or availability limitation of memory, the OS isallowed to mark attachments (at an access port AP or transfer port TP)as na if its initially allocated space was swapped with some otherprocess while the access port AP was inactive. DAC 10B will invoke theOSdriver whenever an na TP-attachment is being validly accessed by itsaccess port AP, allowing it to restore the attachment and revert itsaccess permissions. The equivalent to such TP-attachments forAP-attachments is one whose TP has been nullified but whose addressrange is valid; the driver can similarly restore such AP-attachments.

RAM DAC Storage Management

RAM must be managed all times by various AP-attachments in order tosupport the dynamic allocation and reallocation of memory for thevarious use (AP-attachment or TP-attachment) and access permissions. Assuch, every memory location (except for m in certain cases) will have atleast two TP-attachments that define its memory address or addressrange. Aside from the shared and private permissions, TP-attachments maybe assigned as m or *m to allow the relevant AP-attachment to performmanagement functions. Management functions include assignment andrevocation of ownership, insertion or modification of sharing and accesspermissions. m storage is essentially private (treated as rw by thehardware of DAC 10B) and may only be access by, and is reserved for,program and memory management systems (enforced by the boot-driver).Access ports AP with m storage may request that such storage, orelements of it, be re-assigned for use by another AP-attachment. Whenapproved, such reassignment will result in the storage being removedfrom the reach of the current access port AP (if assigned as owned andreassigned as private) or redefined as *m within the reach of the accessport AP. *m storage are essentially black boxes (treated as na by thehardware of DAC 10B) and may not be accessed by its owner except toredefine (facilitated by the boot-driver) its access permissions. Whenan *m storage owner redefines its own TP-attachment, it may onlyredefine it as m (free for use) and this will revoke its accessibilityfrom all other TP-attachments. When an *m storage owner redefines theTP-attachment of another access port AP, it may only redefine itaccording to the rules that govern the current access permission of theaccess port AP for the TP-attachment (see above). In particular, the *mstorage owner may only move (redefine port.lo and port.hi), resize(redefine port.lo or port.hi), borrow (redefine as na), or release(equate port.lo and port.hi) private TP-attachments. It may only move(when owner moves it), resize (when owner resizes it) or release (equateport.lo and port.hi when access port AP must no longer access it) sharedstorage for access ports AP that do not own the shared storage. Inaddition, it may move, resize, or remove (equate port.lo and port.hi forall sharers) shared storage for the access port AP that owns the sharedstorage.

Note DAC 10B can replace the function of current memory managementhardware (MMU) on CPUs. However, DACs 10B have several distinctions thatmake them more capable and secure memory access control devices thancurrent MMUs: (1) DACs 10B do not require CPU compliance for enforcementof access violations; (2) AP-attachments of DAC 10B may have exclusiveaccess to TP-attachments even though both are defined as part of thesame program (many buffer overflow condition result from the inabilityof the MMU to provide exclusive data use by portions of the sameprogram); (3) the AP and TP definitions of DAC 10B use real memoryaddresses instead of virtual addresses (virtual addresses meanprogrammers see their memory ranges as seamless and facilitates bufferoverflows; (4) shadowing with DACs 10B provide a unique sharingmechanism that supercedes software controls of the shared memory andprovides transparent routing mechanisms for such storage.

Use of DACS as Controlled Communications Portals

Given the characteristics of a DAC 10 that it is not controlled by thesystems that use it, and that it allows attached systems to access oneanother transparently through it, it follows that storage unitscontrolled by one or more DAC 10 can be used as controlled portalsthrough which attached systems can communicate and share informationsecurely. For the reasons set out above, DACs 10 are impervious tosoftware methods of subversion, and the judicious use of DACs 10 as acommunication channel would naturally confer protection againstintrusion from external systems. These DAC-controlled storage unitswill, in the remainder of this description, be called “DACS”.

The problems with inter-systems security are many but the primary flawis that the systems must be electronically connected, in a client-serverarchitecture, in order to communicate and share information efficiently.The client-server architecture is ideal for networking trusted andtrustworthy systems. However, this model becomes the source of securityproblems when hostile individuals infiltrate one of the connectedsystems. To address this security issue, a proposal to erect a foolproofsecure communication channel between systems has been presented. Thiscommunication channel is composed of DACS, several implied a-priorirules that replace the client-server model of networking, and functional“agents”. The key enabling component is the use of the DAC 10 along withdigital storage units to provide a physical “checkpoint” barrier atwhich all information can be subjected to scrutiny. Because a DAC 10allows multiple systems to transparently share storage units, andapplies categorical restrictions to accessing the storage unit, evencertain types of impersonation attempts (a means of invasion) can bedetected and actively inhibited. The communications channels allowsrestructuring of the client-server model into a private anonymous-servernetwork model. This model is based on the principle that “client”systems are essentially incomplete systems that cannot independentlyaccess or process the necessary information, and thus need the supportof the network to be complete. In addition, “server” systems are reallyjust a collection of functions that clients can use to give them thesemblance of being complete.

Since networks are used by clients to gain access to remote informationor to gain the added processing power of systems on the network, it canbe said that the network makes the client a complete system. Here thenetwork implies any system made up of co-operating “clients” and“servers”, and, for the sake of clarity, the “client” of interest isconsidered a user of the network. A complete system is one that iscapable of performing the fill set of task that it claims to provide.Since computer systems and programs share the same relationship asnetworks and clients—that is, a computer system make the program acomplete system, references to networks and clients shall include theimplication of computers and programs. The basis of theclient-network/program-computer relationship is the client-server modelof networking. This model is an open system model in which a clientaccesses whatever external systems it requires in order to fulfill itstasks. As such, a client must be able to locate and determine how toaccess servers or other clients. Once such a target is located, the twocommunicate to determine each other's capabilities and needs, and workto fulfill them. While completing the client's tasks, the networkbecomes, in essence, the client, and operates as dictated by the client.Unfortunately, the participants on the network do not always considertheir systems as mere extensions of the client.

Network Remodelling

This invention proposes a method by which to modify the basis ofnetworking for increased security. The client-server model is seen asthe “Achilles' heel” of networking because it requires that the networkprocess clients' requests in its own environment, allowing the client toforge requests that can exploit weaknesses in the network. To modify thebasis of networking, an a-priori series of standard operating procedures(SOPs) have been created that segments the network into functionalcomponents, thus converting the network itself into a function-orientednetwork. Function-oriented networks can sustain a modification of theclient-server model so that its suits an “information sharing only”model of networking. The information sharing model affords the networkwith the means to complete clients such that they can operate as ifindependent of the network, and thus make the functioning of the networkindependent of the client's actions. The method involves a novelcommunication channel that consists of “completion agents” applied tothe client's and the network's environment and secure checkpointsthrough which “agents” access the network or the client, on behalf ofthe client or the network.

The Security Checkpoint

The secure “checkpoint” is the defining characteristic of this newcommunication channel, and is composed of a DAC 10 with its multipleaccess ports and rules that govern the ports' usage of the DAC 10.Information arriving via networks is often fragmented and the networkinfrastructure has limited processing capabilities and consequentlycurrent networks compel each participant to process all information itreceives, even if the information is unwanted, unnecessary or dangerous.The checkpoint makes it possible for the “trusted zone” to select whichinformation it will process, and when it will be processed. Moreover,the checkpoint is directional for both the information it conducts andfor its source of control, and control of the checkpoint need not restwith any of the participants that actually use the checkpoint. Thefunction of a checkpoint is implied by the function of the owner(s)(agents of the network) which have access to it. The checkpoint offerseach destination port's system (each of which is a trusted zone) a meansof classifying incoming information as originating from a “distrustedzone”, and assigning it the minimal level of trust. Although almost anytraffic can be routed to the checkpoint, the trusted zone alonepredetermines the types of information that it requires from thatcheckpoint. Thus, it alone determines what will be allowed to leave thecheckpoint for further processing. With these features, a network builtusing checkpoints can predetermine which of the participants caninteract and which of the participants are in control of thecommunication channel. In general, the network provides the checkpoint,and thus it is in control of the communication channel.

The Network Completion Agents

Security at the checkpoint is enhanced by the support provided on bothsides by owners (agents of the network) on the network side and agentson the client side. As each distrusted zone (or client therein) attemptsto join the network, the network completes its end of each communicationchannel by asserting “owners”, who are agents designed to meet theclient's need but on the network's terms. Owners assure proper use ofthe checkpoints by ensuring that only information that is relevant tothe owner's function will be delivered to the network, or will bedelivered to the distrusted zone. By definition, an “owner” is anintegral entity of the trusted zone, designed to service the function ofits trusted zone target. Owners are comprised of software/firmware, aprocessing unit, interfaces to communicate with its target, as well aslinks to at least one checkpoint. Their task is to deliver “readyinformation” (information transformed to conform to the destination'sexpectations) to its final destination, and may include completion ofthe transformation of incoming information, if the distrusted zonecannot complete the transformation securely.

The Client Completion Agents

As each distrusted zone (or client therein) attempts to join thenetwork, the network completes the distrusted zone's end of eachcommunication channel by deploying completion “agents” in the distrustedzone. For the remainder of this description, “agent” will mean an agentin the distrusted zone, while “owner” will mean an agent in the trustedzone. These agents are complementary to owners and each agent represents(is a proxy for) the trusted zone in the native environment of thedistrusted zone. Agents assure proper use of checkpoints by being theonly elements of the distrusted zone that have legal access to anyparticular checkpoint. An “agent” then, by definition, is an independententity of the trusted zone, that is designed to service and become anintegral part of the distrusted zone, while fulfilling functions in thedistrusted zone for its owner. Agents are comprised ofsoftware/firmware, a processing unit, interfaces required to communicatewith systems in the distrusted zone as well as links to at least onecheckpoint. Aside from lending their services to the distrusted zone,their task for the trusted zone can be twofold:

-   -   1. To procure information, relevant to their owners' function,        from the distrusted zone, and to deliver only ready information        to the checkpoints for the trusted zone.    -   2. To procure information, relevant to their owners' function,        from the checkpoints and to deliver only ready information to        distrusted zone.        Thus, an agent's function is implied by the function of the        checkpoints to which it has access, and not by the activity of        the agent itself.

The Function-Oriented Network

The secure communication channels are designed to provide:

-   -   1. A client-completion agent that provides the distrusted zone        with the processing power and facilities it needs to access and        process the information that it requires from the network, or        that it will deliver to the network.    -   2. An agent of the trusted zone that offloads from the network        and onto the distrusted zone, the danger of processing        information for the distrusted zone while ensuring that only        tolerable information will be delivered to the network.    -   3. A secure checkpoint at which ready information is presented        to the participants while insulating the participant's private        systems and information from the effects of danger in each zone.    -   4. Owner systems that oversee the proactive sharing of a        network's resources that belong to predefined function-oriented        segments of the network.    -   5. Directional and access control at every communication channel        to enable a fully mapped network environment wherein the reach        of every client can be predetermined and restricted.

These elements can be applied to make communication on today's privatenetworks electronically secure with no apparent difference in overalleffect to its users. Before a network can properly integrate thesesecure communications channels, the structure of the network must bechanged from a client-server service-oriented network to an informationsharing function-oriented network. The function-oriented network is alsoa structural network—that is, one that must be planned and laid outaccording to the purpose of the network and the functions that eachelement contributes to that purpose.

Messages and Access Rules

Typically, the network is analyzed and subdivided into functional groupsbased on their task(s) and their contribution to the overall purpose ofthe system. Each functional group qualifies as a trusted zone of thenetwork and is segregated from other functional groups by securecommunication channels; thus each functional group is a distrusted zonewith respect to the information that each other group processes. Theinformation being processed by these functional groups must then besub-classified into access categories of “private”, “public”, and“control” contents (henceforth, “messages”). All messages within afunctional group are thus private with respect to other functionalgroups. Access to, and use of, these messages are what the securecheckpoints are designed to control. The agents and owners are createdto securely process these messages, and the communication channels arecreated to assert and maintain segregation between the messagecategories, and to segregate agents from owners and functional groupsfrom each other. Each owner services a functional group and isresponsible for the availability and processing of specific messages forthe network. Each agent services a single client in the distrusted zoneand services specific messages for the client on the network's behalf.To ensure secure access and processing of the messages, an a-priory setof rules have been devised to govern the treatment and processing ofmessages by agents and owners. The following protocol defines thetreatment to be applied, by owners in a functional group, to messages ofa functional group in order to ensure secure communication:

-   -   1. Private messages may only be accessed by elements of that        functional group of the trusted zone and must never be made        available to the distrusted zone; thus private messages        themselves must never be delivered to a checkpoint.    -   2. Private messages of a trusted zone must never be stored in        agent-readable storage units of any kind. This will ensure that        private messages are never available to a distrusted zone.    -   3. All incoming messages must be appropriately secured (by some        means of data transmission security) and are treated as private        by virtue of their arrival at a checkpoint; that is, once a        message is delivered to a checkpoint, it become unavailable to        the delivering port of the communication channel.    -   4. Private messages are processed only by elements of the        trusted zone. Owners may access private messages in order to        delivery ready information to a security checkpoint.    -   5. Control messages are specific to a functional group, and may        affect the processing being performed on messages specific to        that functional group. Control messages can only be issued by        owners and interpreted only by its target. The target of a        control message is implicitly defined by the checkpoint to which        it is delivered.    -   6. The types of control messages issued to agents should be        limited and cannot instruct agents regarding the use of        checkpoints; agents are created with inherent knowledge of their        function.    -   7. Control messages may be solicited from the distrusted zone        (for example, from another trusted zone element accessible only        via the distrusted zone) by the trusted zone but only such        solicited control messages will be interpreted by the trusted        zone. Unsolicited control messages originating in the distrusted        zone must never be processed by the trusted zone.    -   8. Public messages are those that may be accessed by elements in        both the distrusted zone and the trusted zone. Nevertheless, the        accessibility of any public message must be made on a per-user        basis and be made available only to the given user by way of the        client-completion agent.    -   9. Public messages are made available to clients by way of        agents but the distrusted zone must never be allowed to modify        public messages.    -   10. The network must be able to determine the authenticity of        all messages at any time; thus the distrusted zone must be        prevented from manipulating information owned by a trusted zone.

Securing Communications using DACS, Owners and Agents

DACS are the core of the component of the secure communication channel.As such, DACS determine both the directionality and the accessibility ofmessages contained within the checkpoint. Because DACS are controlled byDAC 10, each participant that may access a checkpoint may do so withdistinctly different access permissions; thus the directionality of thecommunication is relative to the “zone” of interest. The network musttherefore obey the rules that apply to the use of DACS with anyparticular access permissions. A bidirectional communication channel isone to which the zone can access the DACS with rw or m permission; thatis, that zone can send messages to the checkpoint and can removemessages from the checkpoint.

FIG. 33 is a diagram illustrating the use of DACS to define privatebidirectional checkpoints with asynchronous duplexing access capability,where the DACS are based on RAM oriented DACs 10B. Referring to FIG. 33,an owner program A (AP=A) and agent program B (AP=B) each define aTP-attachment to be used as a secure checkpoint through which they canshare messages and communicate. The checkpoint is composed of twoshadowed write-only memory ranges (storage range A and B), one of whicheach may write to present data to the other, and read to receive datasent by the other. Since no other access port AP has access to thecheckpoint, communication between the programs is private.

FIG. 33 shows one way in which transparently shared storage can beeasily implemented on a DAC 10B with secure data access. Each of the twoaccess ports AP declare a different TP-attachment with the *w accesspermission. The shadow for the TP-attachment of one access port'sattachment is the TP-attachment of the other access port's attachment.This arrangement allows the AP-attachment to use the same target storageidentifier TID with read instructions even though the permissionexplicitly disallows a read. DAC 10B will displace the reads to accessthe shadow, which is the TP-attachment owned by the other. This conceptcan be extended further to include shared resource distribution in a“one to many” fashion thus negating the need to replicate sharedinformation to each participant program.

As shown in FIG. 33, a quasi-bidirectional communication channel can beachieved for zones which have either the *r or *w permission to theDACS. The zone will succeed in sending messages toward the checkpointbut confirmation of the messages sent cannot be achieved by retrievingthe messages form the checkpoint. Unidirectional communication channelsmay only be accessed by the zone in question in either input or outputmode thus the zone may only be assigned either the r or w permission. Inaddition, DACS used as communication channels should not be primarystorage devices. This is precautionary to prevent exposure ofuser-specific messages to an unintended user.

The junction between any two zones is forged by the presence of thecheckpoint to which both zones have been given access. In actual networkterms, this implies that any pair of computers that have no mutuallyshared DACS are essentially inaccessible to each other, as they have nomeans by which to communicate or share messages. For computers, theimplication applies to programs, and since the OS is just anotherprogram, programs can be isolated from even the OS. This givesinformation-sharing networks the ability to quarantine elements of thenetwork by simply removing the checkpoints between them, removing themessages from the checkpoints, or by deactivating the owners in atrusted zone. Furthermore, intrusion attempts can be detected by notinginappropriate use of the checkpoints—for example, messages which do notmatch the function of the checkpoint or attempts to direct messages ator read messages from r, *r or w, *w checkpoints respectively.

Owners are processing agents within a trusted zone that manage thesecure sharing of particular resources that the network provides for itsclients. Owners use the checkpoints as portals through which they serveresources to clients and as portals through which to collect messagesthat need to be posted as ready information to its resource destination.Ideally, an owner serves resources proactively to client-specificcheckpoints—that is, as the client connects to the network. Each ownerfurnishes the client with the agents it requires and gives the agentsaccess to all the resources that the user will require and that thenetwork has pre-assigned to the user. Additional resources may be madeavailable to the user after connection, but only at the behest of thenetwork's administration and not at the request of the user. Finally,since agents may not access private messages even if they belong to theuser, owners may process such private messages for the user and forwardonly the processed result to the agents. Owners thus protect the networkby making it unnecessary to expose private messages to risks that may ormay not exist in the distrusted zone.

Agents are provided to clients in the distrusted zone to temporarilyremove the deficits that cause the clients to need the network.Completed as such, a client can proceed to operate as if it were aself-contained, independent entity. The definition of the agent suggeststhe extent to which the network must augment the client. Clients thatrequire increased processing power are provided with the addedprocessing power of the agents. A client that requires the ability toaccess information that is not native to the client is provided with themeans that the agent uses to access that information. A client thatrequires additional information that it may gain from the network isprovided with that information by virtue of the agent's access toinformation at checkpoints. A client that is required to produceinformation for the network is provide with agents that has the abilityto prepare that information for entry to the checkpoints. Agents provideprotection to the network is several ways. By completing the client andmaking it self-contained:

-   -   1. The network keeps each client beyond the reach of all other        clients.    -   2. The network ensures that uncooperative users of the client        will not succeed in discovering anything outside of their own        environment.    -   3. The network assures that the risk of processing user        information is contained within the user's environment, and that        information the client delivers to the network is in a risk        state that is known and expected by the network. This keeps the        risks out of the network's environment where it may have had        side effects on the network or its other systems.        Thus the secure communication channels allows the participant to        share information while isolating the risks involved with such        sharing at its point of origin. FIG. 34 demonstrates the manner        in which agents and owners cooperate to securely provide access        to a common resource shared between many clients.

FIG. 34 illustrates how to use DACs 10B to define communication channelsfor the secure sharing of a common resource. Owner A (AP=A) servicescommon resource A (storage range A), while allowing concurrent sharingof the resource between clients completed by agent B and agent C (AP=Band AP=C) in quasi-bidirectional, asynchronous, duplexing mode. Atransfer port TP in each of agent B and agent C defines a shadowedwrite-only memory range (storage range B and storage range C) to whicheach may write to represent messages to resource A, and read to retrievemessages from resource A. Owner A defines two sharing resources, eachaccessing the same resource A, as shadowed read-only memory ranges andassigns resource A to be the shadow of both agents' checkpoint inputports. Owner A can also read the checkpoint input ports of agents B andC and assign resource A as their shadows.

The checkpoint provides multiple input ports from agents to the owner,allows agents to share the same output port while binding the commonresource to each agent's input so that the owner cannot misaddress norcross-link the agents. Depending on implementation, resource A may bethe true resource A or it may be a virtual representation of resource A.Nevertheless, agents do not directly manipulate the common resource,they present related information, from the client to the owner, in thesame format as it found by reading from the resource. The owner meldsthe information from the two agents and the resource in order to updatecommon resource A. By virtue of the activities of agents and owners, thecommunication channel vouches that the information delivered to eachparticipant is the authentic information sent by the other participant.

Example: Using DACS to Protect and Provide Restricted Access toSensitive Data

The following is a example of the use of DACS, in this case using acombination of RAM oriented DACs 10B and SCSI oriented DACs 10A, aselements of the described secure communication channels in a hybridnetwork 100 that protects a standard network from intrusions via theinternet and less secure internal workstations.

FIG. 35(A) shows the utilization of SCSI oriented DACs 10A to partitionand protect stored data on a standard network that has Internet accessby using its unique ability to provide locally controlled (and remotelyinaccessible) mapping of data pathways. The proposed layout represents afault tolerant system with standard internet front-end designed tocircumvent “Denial of Service” (DoS) attacks. Agent systems are standardInternet servers dedicated for public access by Internet clients to weband e-mail services etc. Supervisor systems provide local server-likefunctions in the management and dissemination of shared data to clientsystems in its zone and can be used for local configuration of theworkstations and other servers in its zone. “Internal IntrusionDetection Systems” or IIDS systems IDx consolidate access violation logswhile monitoring all storage devices for evidence of tampering.Custodian C are independently responsible for routine maintenance of thestorage systems. System Masters SM connect to a DAC 10A via owner accessports AP and can use their attachment point to span acrossinterconnected DACs 10A. They are a central location from which set-upand configuration of the network storage can occur. Hybrid network 100is arranged as four functional segments, and the segments are eachpartitioned according to the similarity of access to stored information.Stored data can be shared transparently within and across segmentswithout the need for agents or clients to be aware of the sharingmechanism. Supervisors are also unaware of other segments.

FIG. 35(A) shows hybrid network 100 with built in fault-tolerance andload-balancing of agent systems and three segments each with a differentoperational security rating (0 to 3 in ascending order), requiring acorresponding degree of physical security. The represented network issimilar to that of a standard organization in which employees requireInternet access and clients interact with the organization over theInternet. For this purpose, DACS are labeled as S_(x)Y^(z) where:

-   -   x=a number identifying the DACx to which it is attached    -   Y=its logical identification number for the DACS on that DACx    -   Y^(z)=its functional designation where z can be any of:        -   ⁰=primary source or destination (according to *r or *w, see            Table I)        -   ^(s)=shadow of primary unit        -   nothing=not shadowed

The Security Configuration

The standard network has been segmented into zones based on the level ofsecurity clearance allowed to the members of a zone. The zones are thenseparated and protected by DACs 10A and use the available DACS in securecommunication channels to support the information-sharing-only,function-oriented networking throughout. For the sake of simplicity, thesecurity configuration for Level 1 and Level 2 is assumed to beidentical except for the security classification of the information towhich each level has access. Each computer is equipped with a RAMoriented DAC 10B and their OS have been modified to use checkpoints,owners and agents to implement resource and information sharing betweenthe OS and applications (as illustrated in FIGS. 33 and 34). Despite theuse of the modified network principles within the computers, hybridnetwork 100 itself uses SCSI oriented DACS for establishing the securecommunication channels between each Level, and for simplicity's sake,Level 0 is considered the distrusted zone. The distrusted zone is theextent of the local network that is sacrificed for the completion ofInternet clients.

FIGS. 35(B), (C), and (D) show the physically mapped data paths that areestablished within DAC1, DAC0 and DAC2 respectively, to generate theenvironment that allows secure Internet connectivity. The DACs 10A areshown as the central cylinder with the radiating spokes at both the topand bottom. Terminal units (depicted as cylinders at the end of spokes)represent storage devices, and designate those spokes as transfer portsTP. AP-attachments (depicted in FIG. 35 as a computer figure) at the endof a spoke designates that spoke as an access port AP. Data flow followsthe direction of the arrow at the spokes while the tails of arrows (atarrow junctions or at spokes) indicate data sources. Bi-directionalchannels are traceable by arrowheads on both ends with tails joined at ajunction. Junction terminal pads join shadowed paths indicated by adotted line. The shadow paths conduct traffic either to or from accessports AP and terminate only at transfer ports TP since transfer ports TPdo not interact with each other. Note the shared utilization ofresources without the need for AP-attachments to know of or about eachother.

In FIG. 35(D), DACO has 9 attached storage units (S₀1⁰-S₀3⁰, S₀1^(s),S₀3^(s), S₀4-S₀6) and at least 8 access ports. These DACS support securecommunication channels that allow the lowest security zone, the“web-services functional group” (Level 0), to securely interface thetrusted zone with the distrusted zone (the Internet). This zone, thoughhaving the lowest security clearance and lowest physical securitycoverage, has the tightest security settings due to having the highestrisk exposure. The inhabitants of this Level are:

-   -   1. A Master Webserver (Level 0 Supervisor), logically assigned        to security Level 0 but physically protected and classified as        an owner in the web-services functional group. It attaches to a        secondary port of DACO using the following DACS and security        settings:

TABLE VII DACS Access level Purpose S₀1⁰ modify (rw) OS, logs, registry,public applications, outbound public messages checkpoint S₀2⁰ modify(rw) Storage for web-pages, management of distrusted zone agents S₀3⁰read-only (r) Agent software, secure inbound inter-zone communicationcheckpoint S₀3^(s) shadow (w) Traps intrusion events, secure outboundinter-zone communication checkpoint S₀6 modify (rw) Page-file storage

-   -    This server is a member of the trusted zone, processes messages        relevant to website servicing and management, and is subservient        to the System Master SM, which is the master on DAC0. This        server updates the system logs with the approved fragments        collected from agent systems in the distrusted zone.        Modifications to the system settings for all agent web-servers        may be adjusted from this console or from the console of the        System Master SM. This server has no local or private storage        units, and systems in any other Level with write permission to        checkpoints via S⁰3⁰ may post requests for web related services.        Requests approved by the IIDS and properly authenticated by the        System Master SMwill be relayed to the appropriate Agent systems        indirectly via this server.    -   2. Web agents (Agent1 & Agent1-clone) are web-servers, logically        and physically located in Level 0 security zone and arranged in        a cluster for backup/load balancing. Although equipped with RAM        communication channels for added robustness, all are considered        agents in the distrusted zone. Referring to FIG. 35(D), each        attaches to a secondary port on DACO using the following DACS        and security settings:

TABLE VIII DACS Access level Purpose S₀1⁰ read-only (*r) OS, logs,registry, public applications, outbound public messages S₀1^(s) shadow(w) Traps intrusion attempts and incoming messages S₀2⁰ read-only (*r)Source for web-pages and temporary source for Agent soft- ware S₀2^(s)shadow (w) Traps intrusion attempts One of modify (rw) Storage forpage-file (if necessary) S₀4-S₀5

-   -    Shadowing of the primary DACS asserts the privacy requirement        to all incoming messages as specified in the above description        of the secure communications channel. In a like manner, attempts        to modify existing files will leave an un-modifiable record of        the event, thus ensuring that logs and other intrusions        forensics are inaccessible for external modification. No local        or private storage units are present on these agents. Some        software agents (functions) on these servers have owners in the        different Levels who handle specific operations regarding        private messages that cannot be directly fulfilled by these        agents. Such operations are requested as messages formatted and        tagged and redirected to the respective secure checkpoint for        further processing.

Referring now to FIG. 35(B), DAC1 has 9 attached storage units(S₁1⁰-S₁3⁰, S₁5⁰, S₁1^(s)-S₁3^(s) (a partition on S₁2⁵), S₁5^(s), S₁4,S₁6) and at least 7 access ports. These DACS support securecommunication channels that allow this lower security clearance systemof the trusted zone, the “support services functional group” (Level 1),to interact securely with the higher security clearance elements of thetrusted zone. Inhabitants of this Level may include:

-   -   1. Workstations in Level 1 may, for example, be inhabited by        support staff in a organization, who may not be, or need not be        very security minded, and their need for direct access to        critical information or systems can be limited without        compromising productivity. The workstations attached to DAC1 via        secondary access ports using the following DACS and security        settings:

TABLE IX DACS Access level Purpose S₁1⁰ read-only (*r) OS, logs,registry, applications S₁1^(s) shadow (w) Traps intrusion attempts andprivate checkpoint for outbound messages S₁2⁰ read-only (*r) Source fornon-sensitive static data shared by these members S₁2^(s) shadow (w)Traps intrusion attempts

-   -    The workstations also participate in a standard network        arrangement to support legacy software and to demonstrate the        security features conveyed by the DAC 10A. All workstations have        local storage units controlled in the standard manner for        networks.    -   2. Local segment Supervisor of Level 1 interfaces with the        workstations and functions as their standard network server. It        controls access to zone resources and act as a local proxy for        the rest of the network. This Supervisor attaches to the DAC1        via a secondary access ports using the following DACS and        security settings:

TABLE X DACS Access level Purpose S₁2⁰ modify(rw) Common data shared byLevel 1 members S₁3⁰ read-only (*r) OS, logs, registry, applicationsS₁3^(s)(S₁2^(s)) shadow (w) Traps intrusion attempts S₁5⁰ read-only (*r)Secure inter-zone communication checkpoint for inbound messages S₁5^(s)shadow (w) Secure inter-zone communication checkpoint for outboundmessages S₁4 modify(rw) Restricted Data/Work space for zone supervisorS₁6 modify (rw) Page-file storage (if necessary)

Referring now to FIG. 35(C), DAC2 has 9 attached storage units(S₂1⁰-S₂3⁰, S₂5⁰, S₂1^(s)-S₂3^(s)(a partition on S₂2^(s)), S₂5^(s), S₂4,S₂6) and at least 7 access ports. These DACS support securecommunications channels that this allow higher security clearance systemof the trusted zone, the “executive services functional group” (Level2), to interact with lower and higher security clearance systems of thetrusted zone. Inhabitants of this level may include:

-   -   1. Several workstations in Level 2 security zone. Level 2 is        inhabited by administrative members who oversee work done by        Level 1, and who manipulate or generate some sensitive        information. The workstations attached to DAC2 via secondary        access ports using the following DACS and security settings:

TABLE XI DACS Access level Purpose S₂1⁰ read-only (*r) OS, logs,registry, applications S₂1^(s) shadow (w) Traps intrusion attempts andprivate outbound messages S₂2⁰ read-only (*r) Source for sensitive,static data shared by all members of this zone S₂2^(s) shadow (w) Trapsintrusion attempts

-   -    These workstations also participate in a standard network        arrangement to support legacy software and to demonstrate the        security features conveyed by the DAC 10A. All workstations have        local storage units controlled in the standard manner for        networks.    -   2. Local segment Supervisor of Level 2, interfacing with the        workstations to function as standard network server. It controls        zone access resources and acts as a local proxy for the rest of        the network. This Supervisor attaches to the DAC2 via secondary        access ports using the following DACS and security settings:

TABLE XII DACS Access level Purpose S2⁰ modify Common data sharedb(members of the zone S_(x)3⁰ read-only (*r) OS, logs, registry,applications S_(x)3^(s)(S_(x)2s) shadow (w) Traps intrusion attemptsS_(x)5⁰ read-only (*r) Secure inter-zone communication checkpoint forinbound messages S_(x)5^(s) shadow (w) Secure inter-zone communicationcheckpoint for outbound messages S_(x)4 modify(rw) Restricted Data/Workspace for these zone supervisors S_(x)6 modify (rw) Page-file storage

-   -    No local storage medium is present on these servers and control        or reconfiguration of these servers can only be done from the        console of the System Master SM. Otherwise, the servers and        their zones of control can operate independently.

DAC3 has 9 attached storage units (S₀1⁰-S₀3⁰, S₀1^(s), S₀3^(s), S₀4-S₀6)and at least 6 access ports. These DACS support secure communicationschannels that allow the highest security clearance systems of thetrusted zone, the “administrative services functional group” (Level 3),to interact with, and oversee the operations of all other elements ofthe trusted zone. This Level is populated by:

-   -   1. A Custodian workstation that is attached to secondary ports        on all DACs. Agent software on these workstation serve to        maintain the intrusion traps and collect intrusion evidence and        anomalies from all systems for later analysis. The Custodian C        attaches to DAC3 from which its OS resides and its access to the        DACS on this device are as follows:

TABLE XIII DACS Access level Purpose S1⁰ read-only (*r) OS, logs,registry, applications S1^(s) shadow (w) Traps intrusion attempts,Page-file storage, target for maintenance agent functions S2^(s)modify(rw) target for maintenance agent functions S3^(s) modify(rw)Secure communications channel for intra-Level 3 messages, and target formaintenance agent functions S4 modify (rw) Repository for IIDS logs,intrusion events, anomalies collected by maintenance agent functions S5modify (rw) target for maintenance agent functions

-   -    The Custodian C also attaches to DAC0 with the following        settings:

TABLE XIV DACS Access level Purpose S1⁰ modify (rw) target formaintenance agent functions S1^(s) modify(rw) target for maintenanceagent functions S2⁰ modify(rw) target for maintenance agent functionsS2^(s) modify(rw) target for maintenance agent functions S4-S6modify(rw) target for maintenance agent functions

-   -    The Custodian C also connects to DAC1 and DAC2 with the        following settings:

TABLE XV DACS Access level Purpose S5⁰,S3⁰ modify (rw) target formaintenance agent functions S1^(s), S2^(s) modify(rw) target formaintenance agent functions S4,S6 modify(rw) target for maintenanceagent functions

-   -   2. Three (3) IIDS units, one for each of DAC0, DAC1, and DAC2.        All three units share in logging all events occurring onto DAC3.        The IIDS units present themselves as normal environments to        investigate all files on all shadow storage units and all files        on any non-shadowed units. The high degree of protection of the        IIDS units allow them to activate any virus, trojan, scripts or        other agents of intruders to discover their intent and tag them        for removal without succumbing to their effects. IIDS logs are        available to all units on DAC3 and are used by the Custodian C        and System Master SM to locate approved files for continued        processing, or tagged files for removal to quarantine. The        master repository of intrusion forensics and the OS for the IIDS        units are unavailable to the System Master SM and are only        accessible in read-only mode for all systems except the        Custodian C. The data access and communication channels of the        entire IRDS are mapped in FIG. 36.

FIG. 36 shows the connection paths available to the IIDS. systems. TheIIDS uses the connections to monitor storage devices on the DACs 10A andrecord tampering evidence. Systems of Custodian C monitor the IIDS logsto remove the evidence once it is recorded, and to effect repairs to anysystem or user files that have been affected.

-   -   3. A System Master Server is assigned to Security Level 3 with        access to all other DACs 10A via DAC0. FIG. 37 shows how the        System Master SM spans the DACs 10A to gain control of the        entire network. The access port connections for the IIDS and        Custodian C are also shown. The arrangement shown in FIG. 37        demonstrates the interconnectivity achievable by linking any        access port AP of one DAC 10A with any transfer port TP of        another DAC 10A. DAC0, the central DAC is programmed so that the        AP to which the System Master SM is attached has access to        various DACS attached to the interconnected DACs. In this        manner, the System Master SM can “remotely” configure or control        the behavior of any attached systems, but not necessarily        control all the attached systems. In this setup, the System        Master SM is denied access to the web-page storage DACS as well        as DACS that would enable control of the IIDS units. This        arrangement is robust so that even if the System Master SM is        compromised, it will still be possible to track any changes made        to the system. The IIDS OS and central logs are made        inaccessible to the System Master SM, allowing forensics even in        the event of a compromise of physical premises.

Network Configuration

FIG. 38 is a schematic diagram illustrating the manner in which DACs 10can be interconnected into a hybrid network 100, and illustrating thecontrolled flow of traffic that the secure communication channels makepossible on the hybrid network 100. Squares represent sample members ofhybrid network 100 and ovals delineate the Levels within hybrid network100. Not all members are shown in each Level, but their communicationpaths within their Level mirror those of the depicted samples. Thearrows represent the paths possible for data flow between agents andowners, and the arrow direction indicates the direction of networktraffic along the paths. Solid arrows represent communications requiringfull co-operation between both parties. Data flow through these pathswill cease when either party detects a breach in security. Dashed linesrepresent mandatory data flow paths that stay open except during asystem crash or a manual disconnect. These paths are hidden to all usersand are protected by the boot-driver from all accesses, even the OS.They carry logs and control information that aid in detection ofintrusions and facilitate real-time responses. Both parties on dashedpaths will respond only to a specific and limited set of requests, noneof which have meaning in solid paths and thus will not “travel” in solidpaths. Bidirectional arrows indicate that either source may postmessages to, and receive messages from the other. Unidirectional arrowsindicate that the path may only be used by the source to post messagesto the destination. In the case of dashed unidirectional paths, thedestination is invisible to the source and has direct access (withoutagent-owner interaction) to specific information stores on the source.All zones can be physically enforced, while zone 3 uses physicalsecurity for access control as well. FIG. 38 shows the manner in whichDACs 10 can be interconnected and used as a secure networkinfrastructure by using specific TP-attachments as secure communicationchannels.

The only precautions taken by the presented hybrid network 100 is to setthe operating system to deny system shutdown by any users or process onthe master web-server and its agents. Except for the given DAC settings,this hybrid network 100 uses no other commercially available defensemechanism. The web-server agents are the only systems with a standarddirect network connection to the internet. The Custodian C and theMaster Webserver are under physical protection.

Distrusted Zone Attacks—Network Defends

Referring to FIG. 35(A), assuming that an attacker can access an agentweb-server (via the Internet or locally) with valid access to anyallowed user login (possibly even root user/Administrator) and password(gained by any means available to him/her), the following is a table ofpossible attack thrusts, defensive responses and attack results:

TABLE XVI Attack Defense & Result Attacker logs on to agent server Nochallenge, log-on event is recorded on shadow S₀1^(s) Attacker triespermission Attempt echoed to S₀1^(s), attempt unsuccessful. escalation*.Attacker tries to gain modify Attempt logged to S₀1^(s) an echoed toS₀2^(s), but un- access permission to a web-page successful. folder*Attacker tries to modify web- Modification echoed to S₀2^(s), attemptunsuccessful page file. Attacker tries to install tools on Tool echoedto S₀1^(s), S₀2^(s) or successfully written to agent server page-filedrive but tool is inaccessible due to re- moval by IIDS and Custodian C.RAM DACS de- tect and quarantine memory based attack tools. Attackertries to disable Security Attempt unsuccessful, DAC is “invisible” toattached measures with malicious agents systems, IIDS agents protecteach other, messages will not be processed without IIDS approval,Custodian C maintains agent page-file storage regardless of IIDSfunctionality. Attacker scans for attached Attacker finds only similarlyprotected backup and systems for indirect assault clone servers*necessary only if not logged on as root/administrator on permissionrequiredSince Webserver agents are considered elements of the distrusted zone,they are given no access to any critical systems. DAC0 keeps them uniqueand effectively isolated from other internal systems. The transparentaccess feature of DACS ensures that there is no method available bywhich an intruder can detect or directly target any critical systemssuch as Custodian C or the Master Webserver. The shadow storage units,Custodians C and IIDSs, none of which can be detected or bypassed,covertly captures and actively filters all activity being performed bythese agents, thus it is unnecessary to directly challenge an attackerat any time. Since all operating system modifications must be donethrough the OS storage unit, and the unit is “effectively” read-only,agents cannot modify the OS nor any related file permission. DAC 10Acontrols access to that storage, thus all OS permissions can beoverridden by DAC 10A. RAM based communication channels and DACs 10Bhelp the OS and applications resist intrusion attempts and quarantinedamaged or misbehaving programs. In addition, agents have “effectively”read-only access to storage for the web-pages so access to ormodification of web pages can be prevented by the DAC even if the OSpermissions should allow it. At the same time, the Master Webserver caneasily update the OS and web-pages which are the same as those used byits agents. The page-file system storage could be a point ofvulnerability but it is transparently maintained by other systems,through DAC 10A, that neutralize any foreign object placed there.Web-based applications that would be required to interact with criticalinformation such as e-commerce databases etc. are serviced by agentsoftware that would post the required operations to the securitycheckpoints. These requests are validated and authenticated by IIDS0 anda System Master SM before being processed in the trusted zone with onlythe results of the operations being posted back to the responsibleagent. In this manner, no critical information is ever returned to theagent systems. Compromising agent software in memory would invoke thefailsafe feature of the communication channel since the applicationwould lose its link to the internal systems. “Tricking” agents intorequesting such changes will also fail since only requests that conformto the a-priori rules, established by the trusted zone, will beprocessed (requests, by these agents, to modify web-pages are notserviced).

In the configuration in FIG. 38, the IIDS systems IDx log and scan forintrusion attempts and initiate processes that alerts security personneland quarantines the affected computer's. The IIDS systems IDx exerttheir effects on the Custodian C which then aids the System Master SM toeffect quarantine procedures. The System Master SM is a centralizedlocation for configuring and managing the computers attached to hybridnetwork 100. It may also route communication traffic between the Levelsand computers within the network when necessary. Both the System MasterSM and the IIDS systems IDx observe the same rules for traffic flow butonly the System Master SM actually routes traffic. Client systems Clxand Internet Agents Ag both are as described in the precedingparagraphs.

The importance of these physical configurations are that they enableeach computer in hybrid network 100 to have a reliable means ofverifying the source of any request and to be able to rely on thatsource determination by way of the path by which the response wasdelivered. System Master SM serves as that central authority to whichall computers can go to validate the source of any posted message beforethey process the message. Despite what has been said above regarding theSystem Master SM, DAC 10 is the primary enforcer of the mode anddirectional flow of traffic. No path exists if DAC 10A determines that acomputer must not access a particular channel for the purposes ofsending or receiving messages. So, even if System Master SM is able tosend and receive on a channel, it cannot force that channel open for thetarget or source.

As will be apparent to those skilled in the art in the light of theforegoing disclosure, many alterations and modifications are possible inthe practice of this invention without departing from the scope thereof.Accordingly, the scope of the invention is to be construed in accordancewith the substance defined by the following claims.

1. A device for controlling communications among or within computers,computer systems, or computer networks by establishing separate physicalcommunication paths for physicallysecure access to resources, saiddevice having an owner, comprising: (a) a plurality of access ports (AP)to which processing systems such as computer programs, computers,computer systems or computer networks attach to gain a set or subset ofsaid separate physical communication paths for the purpose of makingsaid physically-secure access to a set or subset of said resources towhich said device controls access, each of said attached processingsystems using only its own resources and, by virtue of its attachment tosaid AP, the resources of said device to perform said access, saidplurality of APs comprising: (i) a primary AP to which one of saidprocessing systems attaches to become a capable owner of all of saidresources to which said device controls access, the one of saidprocessing systems attached to said primary AP becoming a system masteron highly secure networks enabled by said device; (ii) a plurality ofsecondary APs to which other of said processing systems attach to gainrestricted access to a set or subset of said resources to which saiddevice controls access, said processing systems attached to saidsecondary APs becoming either “client” or “server” on highly securenon-standard networks enabled by said device; (b) a plurality oftransfer ports (TP) to which said resources attach to become accessibleto said processing systems attached to said APs and through which accessto said attached resources is controlled and restricted by said device;(c) a separate physical communication path between each said AP and eachsaid TP of said device, wherein said separate physical communicationpath provides an exclusive and private communication path between eachsaid AP and each said TP, and by virtue of which said device, wheninserted into a pre-existing physical bus between said processing systemat said AP and said resource at said TP and providing said separatephysical communication path between said AP and said TP, becomes aphysical extension and integral part of said pre-existing physical bus;(d) an access control interface associated with said primary AP throughwhich the owner of said device sets access permissions and restrictionsfor each of said separate physical communication paths to predeterminethe availability of said separate physical communication paths from anyof said APs and the permissions allowed on each of said availableseparate physical communication paths; and (e) a physical or electronichardware switch connected to each of said separate physicalcommunication paths and controllable by said access control interfacefor allowing or denying access with respect to each separate physicalcommunication path, so as to provide a physically-secure exclusivecommunication path between each AP and each TP with predetermined accesspermissions and restrictions, said physical or electronic hardwareswitch when not activated by said access control interface preventingsaid AP from detecting and accessing said resource by not enabling saidseparate physical communication path between said AP and said TP so thatsaid separate physical communication path cannot become said physicalextension or integral part of said pre-existing physical bus of saidprocessing system.
 2. A device as claimed in claim 1 wherein saidcomputer resource is a storage unit having a Small Computer SystemInterface (SCSI) bus.
 3. A device as claimed in claim 1 wherein saidcomputer resource is random access memory (RAM).
 4. A method ofcontrolling communications among or within processing systems such ascomputers, computer systems, or computer networks, comprising: (a)inserting into the bus paths of a plurality of said processing systems adevice to enable the establishment of separate physical communicationpaths for physicallysecure access to resources by said processingsystems, said device comprising a plurality of access ports (AP) and aplurality of transfer ports (TP) and a separate physical communicationpath between each said AP and each said TP of said device, wherein saidseparate physical communication path provides an exclusive and privatecommunication path between each said AP and each said TP, and whereinsaid device, when inserted into a pre-existing physical bus between aprocessing system at said AP and a resource at said TP and providingsaid separate physical communication path between said AP and said TP,becomes a physical extension and integral part of said pre-existingphysical bus; (b) attaching a plurality of said processing systems to arespective plurality of APs of said device to gain a set or subset ofsaid device's separate physical communication paths for the purpose ofmaking said physically-secure access to a set or subset of saidresources to which said device controls access, each of said attachedprocessing systems using only its own resources and, by virtue of itsattachment to said AP, the resources of said device to perform saidaccess, said attaching step comprising: (i) attaching one of saidprocessing systems to a primary AP of said device to become a capableowner of all of said resources to which said device controls access andbecome a system master on highly secure networks enabled by said device;and (ii) attaching other of said processing systems to one or more of aplurality of secondary APs of said device to gain restricted access to aset or subset of said resources to which said device controls access;(c) attaching said resources to a plurality of TPs of said device tobecome accessible to said processing systems attached to said APs andsuch that access to said attached resources is controlled and restrictedby said device; and (d) setting access permissions and restrictions foreach of said separate physical communication paths through an accesscontrol interface of said device associated with said primary AP, topredetermine the availability of said separate physical communicationpaths from any of said APs and the permissions allowed on each of saidavailable separate physical communication paths, wherein said accesscontrol interface controls a physical or electronic hardware switchconnected to each of said separate physical communication paths forallowing or denying access with respect to each separate physicalcommunication path, so as to provide a physically-secure exclusivecommunication path between each AP and each TP with predetermined accesspermissions and restrictions, said physical or electronic hardwareswitch when not activated by said access control interface preventingsaid AP from detecting and accessing said resource by not enabling saidseparate physical communication path between said AP and said TP so thatsaid separate physical communication path cannot become said physicalextension or integral part of said pre-existing physical bus of saidprocessing system.
 5. A method as claimed in claim 4, wherein saidprocessing systems attached to said APs and said resources attached tosaid TPs formed a client-server network prior to insertion of saiddevice into the bus paths between them and, after insertion of saiddevice into said bus paths, form a secure hybrid network supportingclient-server-like functionality on top of a physically-secure networkenabled by said device.
 6. A method as claimed in claim 4, wherein saidprocessing systems attached to said APs and said resources attached tosaid TPs formed a client-server network prior to insertion of saiddevice into the bus paths between them and, after insertion of saiddevice into said bus paths, the client-server relationships have beenreplaced with information-sharing-only functionality on aphysically-secure network enabled by said device.
 7. A networkcomprising: (a) a device inserted into the bus paths of a plurality ofprocessing systems such as computers, computer systems, or computernetworks, and controlling communications among or within said processingsystems by enabling the establishment of separate physical communicationpaths for physically-secure access to resources, said device comprisinga plurality of access ports (AP) and a plurality of transfer ports (TP)and a separate physical communication path between each said AP and eachsaid TP of said device, wherein each separate physical communicationpath provides an exclusive and private communication path between eachsaid AP and each said TP; (b) processing systems such as computerprograms, computers, computer systems or computer networks attached to aplurality of APs of said device to gain a set or subset of said separatephysical communication paths for the purpose of making saidphysically-secure access to a set or subset of said resources to whichsaid device controls access, each of said attached processing systemsusing only its own resources and, by virtue of its attachment to saidAP, the resources of said device to perform said access, wherein: (i)one of said processing systems is attached to a primary AP of saiddevice to become a capable owner of all of said resources to which saiddevice controls access and become a system master on highly securenetworks enabled by said device; and (ii) other of said processingsystems are attached to one or more of a plurality of secondary APs ofsaid device to gain restricted access to a set or subset of saidresources to which said device controls access; (c) said resourcesattached to a plurality of TPs of said device to become accessible tosaid processing systems attached to said APs and such that access tosaid attached resources is controlled and restricted by said device; (d)a separate physical communication path between each said AP and eachsaid TP of said device, wherein said separate physical communicationpath provides an exclusive and private communication path between eachsaid AP and each said TP, and by virtue of which said device, wheninserted into a pre-existing physical bus between said processing systemat said AP and said resource at said TP and providing said separatephysical communication path between said AP and said TP, becomes aphysical extension and integral part of said pre-existing physical bus;(e) an access control interface associated with said primary AP throughwhich the owner of said device sets access permissions and restrictionsfor each of said separate physical communication paths to predeterminethe availability of said separate physical communication paths from anyof said APs and the permissions allowed on each of said availableseparate physical communication paths; and (f) a physical or electronichardware switch connected to each of said separate physicalcommunication paths and controllable by said access control interfacefor allowing or denying access with respect to each separate physicalcommunication path, so as to provide a physically-secure exclusivecommunication path between each AP and each TP with predetermined accesspermissions and restrictions, said physical or electronic hardwareswitch when not activated by said access control interface preventingsaid AP from detecting and accessing said resource by not enabling saidseparate physical communication path between said AP and said TP so thatsaid separate physical communication path cannot become said physicalextension or integral part of said pre-existing physical bus of saidprocessing system.
 8. A network as claimed in claim 7, wherein saidprocessing systems attached to said APs and said resources attached tosaid TPs form a secure hybrid network supporting client-server-likefunctionality on top of a physically-secure network enabled by saiddevice.
 9. A network as claimed in claim 7, wherein said processingsystems attached to said APs and said resources attached to said TPsprovide information-sharing-only functionality on a physically-securenetwork enabled by said device.
 10. A network comprising: (a) aninterconnected plurality of devices inserted into the bus paths of aplurality of processing systems such as computers, computer systems, orcomputer networks, and controlling communications among or within saidprocessing systems by enabling the establishment of separate physicalcommunication paths for physicallysecure access to resources, eachdevice of the plurality of devices comprising a plurality of accessports (AP) and a plurality of transfer ports (TP) and a separatephysical communication path between each said AP and each said TP ofeach device, wherein each separate physical communication path providesan exclusive and private communication path between each said AP andeach said TP, and wherein said plurality of devices are interconnectedvia a plurality of interconnections between TPs of any one of saidplurality of devices to APs of any other of said plurality of devices,said plurality of interconnections enabling processing systems attachedto an AP of one of said interconnected devices to gain a set or subsetof said separate physical communication paths that may be formed withinsaid one of said interconnected devices and within said other of saidinterconnected devices by virtue of said plurality of interconnectionsbetween said interconnected devices; (b) processing systems such ascomputer programs, computers, computer systems or computer networksattached to a plurality of APs of said interconnected devices to gain aset or subset of said separate physical communication paths for thepurpose of making said physically-secure access to a set or subset ofsaid resources to which said interconnected devices control access, eachof said attached processing systems using only its own resources and, byvirtue of its attachment to said AP and said interconnections, theresources of said interconnected devices to perform said access,wherein: (i) at least one of said processing systems is attached to aprimary AP of at least one of said interconnected devices to become acapable owner of all of said resources to which at least one of saidinterconnected devices controls access and become a system master onhighly secure networks or sub-networks enabled by said device; and (ii)other of said processing systems are attached to one or more of aplurality of secondary APs of said interconnected devices to gainrestricted access to a set or subset of said resources to which saidinterconnected devices control access; (c) said resources attached to aplurality of TPs of said interconnected devices to become accessible tosaid processing systems attached to said APs and such that access tosaid attached resources is controlled and restricted by saidinterconnected devices, and said attached resources at any of saidinterconnected devices can be accessed by a processing system attachedto any of said interconnected devices to which said interconnectionsexist; (d) a separate physical communication path between each said APand each said TP of said interconnected devices, wherein said separatephysical communication path may include segments formed byinterconnections which exist between said interconnected devices, andwherein said separate physical communication path provides an exclusiveand private communication path between each said AP and each said TP,and by virtue of which said interconnected devices, when inserted into apre-existing physical bus between said processing system at said AP andsaid resource at said TP and providing said separate physicalcommunication path between said AP and said TP, becomes a physicalextension and integral part of said pre-existing physical bus; (e) anaccess control interface associated with each said primary AP of each ofsaid interconnected devices through which each owner of each of saidinterconnected devices sets access permissions and restrictions for eachof said separate physical communication paths or segments topredetermine the availability of said separate physical communicationpaths from any of said APs and the permissions allowed on each of saidavailable separate physical communication paths; and (f) a physical orelectronic hardware switch connected to each of said separate physicalcommunication paths or segments and controllable by said access controlinterface for allowing or denying access with respect to each separatephysical communication path or segment, so as to provide aphysically-secure exclusive communication path between each AP and eachTP with predetermined access permissions and restrictions, said physicalor electronic hardware switch when not activated by said access controlinterface preventing said AP from detecting and accessing said resourceby not enabling said separate physical communication path or segmentbetween said AP and said TP so that said separate physical communicationpath cannot become said physical extension or integral part of saidpre-existing physical bus of said processing system.
 11. A network asclaimed in claim 10, wherein said processing systems attached to saidAPs and said resources attached to said TPs form a secure hybrid networksupporting client-server-like functionality on top of aphysically-secure network enabled by said interconnected devices.
 12. Anetwork as claimed in claim 10, wherein said processing systems attachedto said APs and said resources attached to said TPs provideinformation-sharing-only functionality on a physically-secure networkenabled by said interconnected devices.